I have a scripted file input that is tailing a log file, unfortunately events are not being broken out correctly. I would like one event per line.
Ideas?
Inputs.conf below:
[script://D:\Splunk\etc\apps\sos\bin\sospowershell.cmd oaintfep03.ps1]
disabled = false
index = main
interval = 90
source = oaintfep03
sourcetype = ps
[Sample of data below]
USERENV(dcf8.5ae8) 17:53:05:315 LoadUserProfile: NULL server name
USERENV(dcf8.5ae8) 17:53:05:315 LoadUserProfile: no thread token found, impersonating self.
USERENV(dcf8.5ae8) 17:53:05:315 GetInterface: Returning rpc binding handle
USERENV(364.20c8) 17:53:05:315 IProfileSecurityCallBack: client authenticated.
USERENV(364.20c8) 17:53:05:315 MIDL_user_allocate enter
USERENV(364.20c8) 17:53:05:315 DropClientContext: Got client token 000009B8, sid = S-1-5-18
USERENV(364.20c8) 17:53:05:315 MIDL_user_allocate enter
USERENV(364.20c8) 17:53:05:315 DropClientContext: load profile object successfully made
USERENV(364.20c8) 17:53:05:315 DropClientContext: Returning 0
USERENV(364.20c8) 17:53:05:331 MIDL_user_free enter
USERENV(dcf8.5ae8) 17:53:05:331 LoadUserProfile: Calling DropClientToken (as self) succeeded
USERENV(dcf8.5ae8) 17:53:05:331 CProfileDialog::Initialize : Cookie generated <917DE8361C59FB6371FF057477808B96>
USERENV(dcf8.5ae8) 17:53:05:331 CProfileDialog::Initialize : Endpoint generated <IProfileDialog_CE7806EEC5C36D56A877F1B2156E21BB>
USERENV(364.102f8) 17:53:05:331 IProfileSecurityCallBack: client authenticated.
USERENV(364.102f8) 17:53:05:331 MIDL_user_allocate enter
USERENV(364.102f8) 17:53:05:331 LoadUserProfileI: RPC end point IProfileDialog_CE7806EEC5C36D56A877F1B2156E21BB
USERENV(364.102f8) 17:53:05:331 In LoadUserProfileP
USERENV(364.102f8) 17:53:05:331 LoadUserProfile: Running as client, sid = S-1-5-18
USERENV(364.102f8) 17:53:05:331 =========================================================
USERENV(364.102f8) 17:53:05:331 LoadUserProfile: Entering, hToken = <0xd80>, lpProfileInfo = 0x207bb80
USERENV(364.102f8) 17:53:05:331 LoadUserProfile: lpProfileInfo->dwFlags = <0x0>
ps is for Powershell, I am on windows.
Changing props.conf fixed that issue, however my event is now 257 lines long. Should I use max events = 1 to get one event per line?
Using a file monitor had issues since it detected my file as binary, the files are encoded in unicode and I am able to tail the file in the correct encoding in Powershell. It could be better but this mostly works.
I appreciate your help.
First, if you have the Splunk *NIX app installed, there is already a sourcetype named ps
- and it doesn't match what you are doing here. So if you are using the *NIX app (or think you might in the future), I suggest that you pick a different name for your sourcetype. That might solve the problem altogether, but if it doesn't:
Create the following stanza in props.conf (or add to an existing one):
props.conf
[yoursourcetypename]
SHOULD_LINEMERGE=false
Be sure that you put this props.conf on your indexer (or wherever the data is parsed).
PS - why are you using a scripted input to tail a log file? I would think that a monitor
input would be preferable...
Hello
Edit or create your props.conf file and add:
[ps]
SHOULD_LINEMERGE=false
That should force one event per line
Regards