Can you help me write a regex to index a configuraton file like below. There are no time stamps in it. Anything in < ....> and </ ....> is a event.
< setup>
loglevel = 0
logfile = net_connect.log
interval = 10
max_threads = 10
icmp_burst = 3
icmp_timeout = 2
icmp_size = 32
qos_interval = 10min
bind = no
< /setup>
< profiles>
< abbpenwscac25.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac25.test.com
ip = 10.21.225.35
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac25.test.com>
< abbpenwscac26.test.com>
active = yes
QoS = yes
ping = yes
interval = 5min
hostname = abbpenwscac26.test.com
ip = 10.21.225.36
timeout = 10
failures = 2
retries = 2
msg_ok = MsgConnectOk
msg_fail = MsgConnectFail
source = 0
target = 2
icmp_size = 0
flags = 0
group = origin:Network;class:12db_ci_netgear;
contactinfo = Network Services
alarm = 3
icmp_threshold = 2000
alarm_on_packet_loss = no
packets_to_send = 0
max_packets_lost = 0
qos_on_packets_lost = no
delay_between_packet_to_send = 0
< /abbpenwscac26.test.com>
< /profiles>
Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.
Data preview is your best friend.
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/Overviewofdatapreview
Are you events supposed to be : abbpenwscac25.test.com and abbpenwscac26.test.com ?
[EDIT]
example :
Try this sourcetype definition in props.conf
`
[mysourcetype]
BREAK_ONLY_BEFORE=^<
# to start after opening html tags.
BREAK_ONLY_BEFORE_DATE=false
MUST_BREAK_AFTER=<./.*>$
# to break after closing html tags
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
# for the timestamp, you can use the index time
DATETIME_CONFIG = CURRENT
`
and test with data preview
Yes, they are supposed to be abbpenwscac25.test.com and abbpenwscac26.test.com.