- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Unable to break xml without timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to break xml without timestamp
I am trying to break these into separate events and have tried everything and its just not working
< sale id="1012128864" reportGroup="asdasd" customerId="7412213255" >
< orderId>101221348864 < /orderId >
< amount>1999 < /amount >
< orderSource >ecommerce < /orderSource >
< token >
<litleToken >8888888888888 < /litleToken >
< expDate >1120 < /expDate >
< /token >
< / sale >
props.conf are
[custom_sourcetype]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \
SHOULD_LINEMERGE = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kindly share couple of more
_raw logs from log file..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It won't seem to let me upload the file, but literally there are just a bunch of blocks like this that are exactly the same with different element values. No timestamps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for me with your sample data.
props.conf are
[custom_sourcetype]
BREAK_ONLY_BEFORE = \<\s*sale\s
MUST_BREAK_AFTER = \<\s*/sale\s*\>
BREAK_ONLY_BEFORE_DATE = false
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Odd this still doesn't work for me. I must have doe setting somewhere overriding this. Any ideas where it might be? The props.conf I am editing is definitely the etc/system/local.props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only thing that overrides etc/system/local would be if you're using a clustered indexing setup, with custom rules pushed by the cluster master to the indexer peers. So unless you're in a cluster, system/local/props.conf is the king of the hill.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, im stumped then, because we definitely aren't doing that. Ill keep working on it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, yes this is an example of a single event, with many others formatted the same. No matter what I try, it won't break them up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is one event you have or you want to break these into separate entries?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
