Here's the scenario. I have a log file in Windows that looks like this: c:\Program Files\server-program>server-command do-stuff-here-to-user joeschmo Command executed successfully. c:\Program Files\server-program>server-command do-stuff-here-to-user invaliduser Error: Unable to execute server command. The user with name 'invaliduser' could not be found. I have the Universal Forwarder on this server monitoring the log successfully. I want the events in Splunk to look like they do in the log, with one event per log entry. I've had to set up linemerging on the indexer in order to get things to look right (without it, log entries would be broken into events in ways I don't want), but I'm still dealing with a problem. Log entries that end successfully are linemerged the way I want, but entries that end with an error are still broken into separate events (one event for the command, and another for the error message output). I've determined this is due to the frequency at which the UF polls the log. Running a command successfully takes less than a second to write both lines to the log, so they appear within the same polling cycle. But if a command fails, it's about a 3 second delay between writing the first line (the command) and the second (the error message output). How do I get Splunk to either poll this file less frequently, or merge the events together? Below is what I currently have in props.conf on the indexer. Thanks! [MyCustomSourcetype] LINE_BREAKER = ([\r\n]+) BREAK_ONLY_BEFORE = c:\\Program SHOULD_LINEMERGE = true ... View more

I'm having some difficulty figuring out the best way to parse the following string, sent by my Cisco switches as SNMP traps when they report interface link up/down: Hex-STRING: 01 00 01 EC 30 91 CC 51 09 00 19 00 In the above example, here's the information that I need to parse and make human readable. The whole string is in hex, but only parts of it should be converted to decimal. Field 1 : 01 = Add, 02 = Remove. Preferably, I'd like the output to simply replace 01 with "connected" and 02 with "disconnected". Field 2 plus Field 3 = VLAN number. These four hex characters denote the VLAN number when converted to decimal (in this example, 00 01 equates to VLAN 1). Would like the output decimal string to be prefaced with "VLAN=". Field 4-9 : Computer's MAC Address. This should stay in hex, but preferably each octet should be delimited with colons and prefaced with "MAC=" (e.g. turn EC 30 91 CC 51 09 into MAC=EC:30:91:CC:51:09). Field 10 : Interface card number. Would be nice to have the value prefaced with "card=" for human readability. Field 11 : Interface port number. Would be nice to have the value prefaced with "port=" for human readability. Field 12 : Unknown (can be skipped) I'm still learning regex and all of Splunk's functions, and I've hacked together this search string based on my very limited knowledge: rex "STRING:\s(?< stat >[0-9]{2})\s(?< vlan >[0-9]{5})\s(?< mac1 >[0-9]{2})\s(?< mac2 >[0-9]{2})\s(?< mac3 >[0-9]{2})\s(?< mac4 >[0-9]{2})\s(?< mac5 >[0-9]{2})\s(?< mac6 >[0-9]{2})\s(?< card >[0-9]{2})\s(?< port >[0-9]{2})" | eval status=if(<stat>=01, "connected", "disconnected") | eval vlan=tostring(tonumber(vlan,16)) | "mac1":"mac2":"mac3":"mac4":"mac5":"mac6" | eval card=tostring(tonumber (card,16)) | eval port=tostring(tonumber (port,16)) (Ignore the spaces around the variables like < stat >, they're just to keep Markdown from thinking they're HTML tags.) Needless to say, this code mess doesn't work. Can someone help me get my act together? TL;DR: Please help me make this string: Hex-STRING: 01 00 01 EC 30 91 CC 51 09 00 19 00 ...look like this: Hex-STRING: connected VLAN 1 MAC=EC:30:91:CC:51:09 card=00 port=19 Thank you! ... View more