Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with XML event getting split on date field within XML

hjferrara
New Member
‎10-24-2012 07:02 AM

I have XML formatted events being logged and they are getting split on date fields that exist inside the XML event. My inputs.conf file is:

[monitor:///path/to/logfile/osb.log*]  
index=isb_other  
sourcetype=osb-log  
followTail=1

My props.conf file is:

[osb-log]  
KV_MODE = xml  
SHOULD_LINEMERGE = true  
BREAK_ONLY_BEFORE_DATE = true  
TIME_PREFIX = ####>  
TIME_FORMAT = %b %d, %Y %H:%M:%S %p

Since I could not figure out how to get my raw xml event to show up correctly I opted to reference via pastebin.

http://pastebin.com/TLqcJFpJ

If I remove the second date (line 20 of pastebin) it comes in properly as a single event. And the second date string does not even follow the time format I specify in my props.conf file.

I even tried to use a props.conf file as follows. Since the message contains the character string of ALSB at the beginning of every event. The date string still causes event to be split.

[osb-log]  
KV_MODE = xml  
SHOULD_LINEMERGE = false  
BREAK_ONLY_BEFORE_DATE = false  
LINE_BREAKER=(ALSB)

I am sure there is something I am missing or some mistake I am doing. Almost like the props file is being ignored.

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-24-2012 07:36 AM

I think it's that your TIME_PREFIX doesn't match the data. Because Splunk can't successfully find a time stamp with the prefix and TIME_FORMAT you specify, it falls back to its own internal parsing rules. These rules include a host of possible formats, in which both the first and second timestamps will find a match. Try changing your prefix to ####< and see what happens.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2012 07:35 AM

This should work:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=####\<)
TRUNCATE = 9999999
TIME_PREFIX = ^####\<
TIME_FORMAT = %b %d, %Y %H:%M:%S %p %Z
MAX_TIMESTAMP_LOOKAHEAD = 30

But so should your last effort (though it will also mess up your event), so really what's going on is that either your props.conf is not getting applied at index time, or else that sourcetype stanza is not getting applied at index time. Possibly it's on the wrong server.

Also, you really shouldn't use followTail = true, unless it's just for the first time. If you do feel you need to use it, set it up, then take it out as soon as possible after the first data comes into Splunk.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-26-2012 11:34 AM

As I said, your props.conf or that stanza is not getting applied at index time to that data, for whatever reason. Again, it may be in the wrong place, or there may be something else going on, but there isn't enough info here to say.

0 Karma
Reply

hjferrara
New Member
‎10-26-2012 11:14 AM

I tried the above as well as the suggestion below. As well as numerous combinations. I either still get it broken into two events by date OR I only get one event made up of the second half (started by second date).

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...