I have tried following http://www.splunk.com/base/Documentation/latest/Admin/Setupcustom(scripted)inputs, but I am having no luck. I cant seem to get the BREAK_ONLY_BEFORE to work for me..
My script is basically a wrapper around pkginfo.
It returns package information with each package on a new line.
Please help! Anyone!
Here is the inputs and props.conf located in $SPLUNK_HOME/etc/apps/scripts/default
inputs.conf:
[script://$SPLUNK_HOME/etc/apps/scripts/bin/pi.sh]
interval = 60
sourcetype = pkginfo
source = pkginfo
disabled = 0
props.conf:
[pkginfo]
SHOULD_LINEMERGE = false
LINE_BREAKER = (?!)
Can you share the pi.sh that you are calling?
Just set:
SHOULD_LINEMERGE = false
LINE_BREAKER = (?!)
Assuming that your script is called periodically by a cron schedule.
This is still not working for me unfortunately..
Here is my props.conf
[pkginfo]
SHOULD_LINEMERGE = false
LINE_BREAKER = (?!)
Here is the inputs.conf:
[script://$SPLUNK_HOME/etc/apps/scripts/bin/pi.sh]
interval = 60
sourcetype = pkginfo
source = pkginfo
disabled = 0
These are both in:
$SPLUNK_HOME/etc/apps/scripts/default