@skoelpin thanks for any help you can be. The OS is RHEL 6 the output is in key-value pairs as I am use the eval command to create the correct syntax for the outlput values. Check the eval commands in the above search. I use the bdquiry to get the 'URL' and 'CI Name' values. Then do the eval commandss to put those values in the right syntax for the CSV style output.

in the output I get the header row ping,interval,title,url,agent then in each row after that I get the individual values, comma separated of course.

I can put this in word-processor and manipulate it like this;

• delete the first row
• delete all the quote marks
• everywhere there is a line break put two line breaks
• everywhere there is a comma put a line break

this gives me the right format for the input.conf

If you could help with the automation of the "search and replace" as above that would help a great deal

This script will do exactly what you need to do. I made it as simple as possible.. Obviously you will need to refine it so it creates a single output file

#!bin/bash
#This will remove the first line in a file called splunk and send it to output
sed '1d' splunk.txt > output.txt

#This will strip the quotes from output.txt and save to output1.txt
sed 's/"//g' output.txt > output1.txt

#This will find a comma and replace it with a line break and output to a file called output2.txt
cat output1.txt | tr ',' '\n' > output2.txt

I wasn't sure what sample data you had so I went with this

[WebPing://Sharepoint]
 interval = "15m"
 title = "Sharepoint",
 url = https://collaboration.sp.local,
 user_agent = Splunk Website Monitoring (+https://splunkbase.splunk.com/app/1493/)

The output will look like this

 interval = 15m
 title = Sharepoint

 url = https://collaboration.sp.local

 user_agent = Splunk Website Monitoring (+https://splunkbase.splunk.com/app/1493/)

You could also add a few steps to turn off the Splunk forwarder, rename the current inputs.conf to inputsOLD.conf then rename outputs2.txt to inputs.conf move the new inputs.conf to the /bin DIR and then start splunk

We can also create a trigger on the search which can execute this script which will fully automate this process.. But I would recommend we thoroughly test and optimize the process before fully automating

Yeah we could use sed to accomplish this. I will jump on after work tonight and give this a shot

thanks much for the help. I haven't used sed before. I'm more of a windows guy but I have done a little perl and a few .sh simple scripts

And in addition, if you modify or add a .conf file, you have to restart Splunk!.
Bye.
Giuseppe

@cusello thanks for the response. I think the input.conf for this app will refresh with the new entries without having to restart splunk. if not I can automate , schedule, cron job the restart.