Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with XML event getting split on date field within XML

hjferrara
New Member
‎10-24-2012 07:02 AM

I have XML formatted events being logged and they are getting split on date fields that exist inside the XML event. My inputs.conf file is:

[monitor:///path/to/logfile/osb.log*]  
index=isb_other  
sourcetype=osb-log  
followTail=1

My props.conf file is:

[osb-log]  
KV_MODE = xml  
SHOULD_LINEMERGE = true  
BREAK_ONLY_BEFORE_DATE = true  
TIME_PREFIX = ####>  
TIME_FORMAT = %b %d, %Y %H:%M:%S %p

Since I could not figure out how to get my raw xml event to show up correctly I opted to reference via pastebin.

http://pastebin.com/TLqcJFpJ

If I remove the second date (line 20 of pastebin) it comes in properly as a single event. And the second date string does not even follow the time format I specify in my props.conf file.

I even tried to use a props.conf file as follows. Since the message contains the character string of ALSB at the beginning of every event. The date string still causes event to be split.

[osb-log]  
KV_MODE = xml  
SHOULD_LINEMERGE = false  
BREAK_ONLY_BEFORE_DATE = false  
LINE_BREAKER=(ALSB)

I am sure there is something I am missing or some mistake I am doing. Almost like the props file is being ignored.

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-24-2012 07:36 AM

I think it's that your TIME_PREFIX doesn't match the data. Because Splunk can't successfully find a time stamp with the prefix and TIME_FORMAT you specify, it falls back to its own internal parsing rules. These rules include a host of possible formats, in which both the first and second timestamps will find a match. Try changing your prefix to ####< and see what happens.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-24-2012 07:35 AM

This should work:

SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=####\<)
TRUNCATE = 9999999
TIME_PREFIX = ^####\<
TIME_FORMAT = %b %d, %Y %H:%M:%S %p %Z
MAX_TIMESTAMP_LOOKAHEAD = 30

But so should your last effort (though it will also mess up your event), so really what's going on is that either your props.conf is not getting applied at index time, or else that sourcetype stanza is not getting applied at index time. Possibly it's on the wrong server.

Also, you really shouldn't use followTail = true, unless it's just for the first time. If you do feel you need to use it, set it up, then take it out as soon as possible after the first data comes into Splunk.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-26-2012 11:34 AM

As I said, your props.conf or that stanza is not getting applied at index time to that data, for whatever reason. Again, it may be in the wrong place, or there may be something else going on, but there isn't enough info here to say.

0 Karma
Reply

hjferrara
New Member
‎10-26-2012 11:14 AM

I tried the above as well as the suggestion below. As well as numerous combinations. I either still get it broken into two events by date OR I only get one event made up of the second half (started by second date).

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...