|
I'm trying to index a bunch of plugin files such that each file is a single event. I've tried almost every combination of the following options without success. Splunk still treats every line as a separate event. I'm running the latest 4.2.3 build. I feel like this was working eight months ago when last I played with it, but it seems to be broken now. [nessus_plugins] I'm noticing that events indexed last year are working, but newly indexed events are not being broken properly. The files are XML formatted. I remember reading that there were some changes to how XML inputs are indexed in some of the later versions.
Thanks. |
|
Any way that you could post some of the data? Can you clean it up if there is anything company specific in it? Just post a couple of events. Sure. They're standard Nessus 4 NASL scripts. Here's a snippet: if (!defined_func("bn_random")) exit(0); include("compat.inc"); if (description) { script_id(20614); script_version("$Revision: 1.9 $"); script_cvs_date("$Date: 2011/10/21 11:16:48 $"); script_cve_id("CVE-2004-0889"); script_xref(name:"USN", value:"2-1"); script_name(english:"USN-2-1 : xpdf vulnerabilities"); script_summary(english:"Checks dpkg output for updated package(s)"); script_set_attribute(attribute:"synopsis", value:
(17 Jan '12, 14:46)
mundus
I notice that all the plugins get overwritten each time they are updated. Maybe there's something I need to tweak in inputs.conf...?
(17 Jan '12, 14:47)
mundus
|