Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event dropped after "build" XML tag in input

Ovi
Path Finder
‎03-27-2013 07:58 AM

OK, I have a puzzling issue....
I have a simple input script that sends a POST request and gets back an XML reply as input
This works just fine and I am getting back fine about 100 XML lines that I am able to extract and chart in Splunk
However I encountered a strange behaviour that I can only describe as follows:
- if one of the XML response tags is , Splunk will drop everything else after that
- it's not that it breaks the event - it will actually terminate it (everything else after is gone)

I tried with multiple input XMLs but they all behave the same - as soon as a tag is present the rest is dropped. Otherwise everything works fine

So I am at a loss at this point. Any clue why this is happening and how can I get around it?

Here's the event as recorded by Splunk:

**» 3/27/13 10:36:28.000 AM

<?xml version="1.0" encoding="UTF-8"?>
env:Bodydp:timestamp2013-03-27T10:36:28-04:00/dp:timestampdp:status
6803467
XI52.5.0.0.5
223327
host=CS1DPIST Options|

sourcetype=datapower Options|

source=E:\Splunk\etc\apps\datapower\bin\datapower_ist_sys.cmd*

And here's the full sample script output if ran from command line:

<?xml version="1.0" encoding="UTF-8"?>

env:Body

dp:timestamp2013-03-27T10:38:36-04:00/dp:timestamp
dp:status
6803467
XI52.5.0.0.5
223327
2013/01/15 14:47:52
XI52.5.0.0.5
XI52.5.0.0.5
XI52.5.0.0.5
embedded
7199
42X
/dp:status
/dp:response
/env:Body
/env:Envelope*

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 08:19 AM

Splunk sees another date, and is likely therefore interpreting it as a new event. You'll have to update your props.conf for this sourcetype to reflect a TIME_FORMAT, probably TIME_PREFIX, and likely a MAX_TIMESTAMP_LOOKAHEAD as well.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

0 Karma
Reply

Ovi
Path Finder
‎03-27-2013 09:14 AM

Excellent. That was it. I disabled the sucker for this sourcetype (DATETIME_CONFIG = NONE) and is all good now Thanks man!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...