Solved: XML Log Line Breaking and Timestamps

skansi · ‎08-07-2014

Hello, I have a problem I could use some help with.

I need to extract data from a XML log file (entries are labelled ) in Splunk. I have to upload an XML log file, and it uploads as a text string. Here is the XML sample:

<LOG><ENTRY><VRIJEME>2010-08-12T10:38:26</VRIJEME><CC>9369175136276314</CC><IZNOS>6427.91</IZNOS></ENTRY><ENTRY><VRIJEME>1998-06-17T04:13:55</VRIJEME><CC>6675476885047681</CC><IZNOS>72452.87</IZNOS></ENTRY>......</LOG>

I use ISO time (YYYY-MM-DDTHH:MM:SS). This way Splunk automatically recognized the first timestamp in the string. I want to break the text in separate events so that Splunk can take the timestamp from each line.

I tried to add LINE_BREAKER = ([\r\n]*)<ENTRY> (this worked for the non-ISO time, where Splunk did not recognize the timestamp), but Splunk gets stuck at 100%.

Thanks! Cheers!

somesoni2 · ‎08-07-2014

Try something like this in you porps.conf.

[yoursourcetype]
BREAK_ONLY_BEFORE = ([\r\n]*)\<ENTRY\>
NO_BINARY_CHECK = 1
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = VRIJEME\>

View solution in original post

somesoni2 · ‎08-07-2014

Try something like this in you porps.conf.

[yoursourcetype]
BREAK_ONLY_BEFORE = ([\r\n]*)\<ENTRY\>
NO_BINARY_CHECK = 1
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = VRIJEME\>

skansi · ‎08-07-2014

I only had to kodify it slightly to

[xmltest2]
LINE_BREAKER = ([\r\n]*)<ENTRY>
NO_BINARY_CHECK = 1
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
TIME_PREFIX = VRIJEME>

skansi · ‎08-07-2014

Thanks, it worked!

skansi · ‎08-07-2014

Sorry, the forum ate up the backslashes:
LINE_BREAKER = ([backslashrbackslashn]*)

XML Log Line Breaking and Timestamps

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!