Solved: Scripted input with current time and line merge

koudis · ‎06-19-2014

Hi,
does anyone known how to setup scripted input. For example netstat from Unix app with current time and line merging ?
This output doesn't have any timestamp so I want to setup DATETIME_CONFIG=CURRENT/NONE, but when I'm using this, the output is broken into separate lines as new events and it's unreadable.
I don't know if I can somehow unset LINE_BREAKER or setup BREAK_ONLY_BEFORE to EOF ?

Thank you for any advice.

koudis · ‎06-20-2014

Finally, I found a way how to do this:

[interfaces]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)

[package]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[vmstat]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[netstat]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[who]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[ps]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[protocol]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[lastlog]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

View solution in original post

koudis · ‎06-20-2014

Finally, I found a way how to do this:

[interfaces]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)

[package]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[vmstat]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[netstat]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[who]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[ps]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[protocol]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

[lastlog]
DATETIME_CONFIG = NONE
SHOULD_LINEMERGE=true
#break only at the end of input
LINE_BREAKER = (?!)
MAX_EVENTS=1000

yannK · ‎06-19-2014

First, make sure that the props.conf is on the indexer.

To force the current timestamp use the
DATETIME_CONFIG=CURRENT

then to handle the multiline events use should_linemerge, and add a linebreaking rule depending of your pattern. If you have scripted inputs, you can add a special line between your events to make it easier :
see http://docs.splunk.com/Documentation/Splunk/6.1.1/Data/Indexmulti-lineevents

[mysourcetype] SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE = ^#

#
new events
on 
multiline
#
another
multiline event

koudis · ‎06-20-2014

Hi,
thank you for your answer.
Unfortunately, this will not help.
SHOULD_LINEMERGE=true is default
And I don't want to break anywhere in output. I just want to receive entire output as one event. Should I setup something like this ?
BREAK_ONLY_BEFORE = ^neverexist#

Scripted input with current time and line merge

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life