Solved: Re: How to index a simple dir in Windows Environme...

verbal_666 · ‎07-19-2017

Hi guys.
A simple question (i hope 🙂 ).
I need to index in a single event this very very simple Windows .cmd output,

19/07/2017-11:27:12,55
 Il volume nell'unità C è OSDisk
 Numero di serie del volume: F445-8CA0
 Directory di c:\
12/11/2015  16:00    <DIR>          adsm.sys
09/07/2013  18:07    <DIR>          Applicazioni
09/07/2013  16:28    <DIR>          Build
20/01/2015  16:03    <DIR>          cygwin
13/06/2017  11:52    <DIR>          inetpub
09/07/2013  16:55    <DIR>          infappdata
09/07/2013  16:21    <DIR>          Intel
09/07/2013  18:07    <DIR>          IRN
09/07/2013  18:07    <DIR>          JETFORM
09/07/2013  18:03    <DIR>          Jfsa
27/11/2015  18:01    <DIR>          KVRT_Data
09/07/2013  17:48    <DIR>          MQSERIES
14/07/2009  04:37    <DIR>          PerfLogs
13/06/2017  12:04    <DIR>          Program Files
13/06/2017  12:04    <DIR>          ProgramData
02/05/2017  12:33    <DIR>          Quarantine
19/07/2017  10:27    <DIR>          Temp
19/08/2014  11:02    <DIR>          tsm_images
05/07/2017  08:39    <DIR>          Users
30/06/2017  12:29    <DIR>          Windows
30/06/2017  12:29    <DIR>          _logfiles
               0 File              0 byte
              21 Directory  431.218.503.680 byte disponibili
---ENDDIR

Now, with default Splunk conf files (props), INDEXER split each line in 1 event, and stops at first new TIMESTAMP,

EVENT#1    19/07/2017-11:27:12,55
EVENT#2     Il volume nell'unità C è OSDisk
EVENT#3     Numero di serie del volume: F445-8CA0
EVENT#4     Directory di c:\

The only way i can get a single event is to insert in props.conf, something like,

[mysourcetype]
BREAK_ONLY_BEFORE = ---ENDDIR

So i get my event, with a new one (with pattern of BREAK_ONLY_BEFORE ) then

(EVENT#1) 19/07/2017-11:27:12,55
  Il volume nell'unità C è OSDisk
  Numero di serie del volume: F445-8CA0
  Directory di c:\
 12/11/2015  16:00    <DIR>          adsm.sys
 09/07/2013  18:07    <DIR>          Applicazioni
 09/07/2013  16:28    <DIR>          Build
 20/01/2015  16:03    <DIR>          cygwin
 13/06/2017  11:52    <DIR>          inetpub
 09/07/2013  16:55    <DIR>          infappdata
 09/07/2013  16:21    <DIR>          Intel
 09/07/2013  18:07    <DIR>          IRN
 09/07/2013  18:07    <DIR>          JETFORM
 09/07/2013  18:03    <DIR>          Jfsa
 27/11/2015  18:01    <DIR>          KVRT_Data
 09/07/2013  17:48    <DIR>          MQSERIES
 14/07/2009  04:37    <DIR>          PerfLogs
 13/06/2017  12:04    <DIR>          Program Files
 13/06/2017  12:04    <DIR>          ProgramData
 02/05/2017  12:33    <DIR>          Quarantine
 19/07/2017  10:27    <DIR>          Temp
 19/08/2014  11:02    <DIR>          tsm_images
 05/07/2017  08:39    <DIR>          Users
 30/06/2017  12:29    <DIR>          Windows
 30/06/2017  12:29    <DIR>          _logfiles
                0 File              0 byte
               21 Directory  431.218.503.680 byte disponibili

(EVENT#2) ---ENDDIR

I also tried a

BREAK_ONLY_BEFORE_DATE = False

with no results.

Any solution?
Thanks.

WalshyB · ‎07-19-2017

try

[mysourcetype]
LINE_BREAKER = ---ENDDIR([\r\n]+)

View solution in original post

WalshyB · ‎07-19-2017

try

[mysourcetype]
LINE_BREAKER = ---ENDDIR([\r\n]+)

verbal_666 · ‎07-19-2017

Works greeeeeeeeeeeeeeeeeeeeeeeeat 🙂
Thanks.
ps. think, i tried a
LINE_BREAKER = ---ENDDIR
without success before!!! I think i forgot the "carriage return linefeed" 🙂 thanks again 🙂

WalshyB · ‎07-19-2017

you're welcome, try not to put the title in all caps next time 😉

verbal_666 · ‎07-19-2017

Sure 😉 i promise 😉 thanks again for the hint...

How to index a simple dir in Windows Environment

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk