Hopefully this is just a stupid regex error:
I'm using SplunkLightForwarder on AIX to send a few .sh_history logs to an indexer on Windows. Unfortunately ksh uses nulls as deliminators between commands--and it sometimes throws an extra null in for no apparent reason. This makes the Splunk events look something like this:
In other words, multiple events are incorrectly merged, and nulls are sprinkled throughout the logs. I spent a good deal of time trying to solve this (line merge/break settings, transforms, etc.). I ended up with the following in props.conf on my indexer:
This works beautifully, except when I exit the shell after testing this out, what shows up in Splunk?
I can't figure out how in the world my regex is matching the x in exit. I later changed it to
but it still eats the first 'x' in every event (axbxcx becomes abxcx). I've verified that there are no nulls adjacent to the x in the source.
Thanks in advance for your help!
Example data, zipped: http://www.mediafire.com/file/wwckoeo36v8p0v6/ksh-history-example.zip
$ tr "\000" "@" < ksh-history-example
mkdir -p test1/test2/test3
... View more