Sorry to post another xml parsing post, I checked most of the Answers related to similar question as this but nothing seems to work.
I am trying to parse xml log in a clustered environment.
4 indexers 3 heavy forwarders 1 deployment server
sample xml log :
Query
0
0
1
set
S
Query
0
0
1
set
S
Props.conf file:
[sample]
kv_mode=xml
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=UTF-8
disabled=false
inputs.conf:
[monitor:///var/log/sample.xml]
index=sample
sourcetype=sample
I m using /opt/splunk/bin/splunk reload deploy-server command to deploy changes and restart ,In heavy forwarders files are getting updated as well.
But whatever changes i am making to props.conf the xml events in splunk is not changing and parsing as below.
event1
Query
0
0
1
set
S
event 2
Query
0
0
1
set
S
PS : I have copied props.conf from splunk console when i tried to upload data manually .
Can someone please figure out what is the issue here. Thanks in advance
This makes no sense. The events that you posted are not XML. Are those really your events?
This is a good start but you have not told us anything about what you are trying to change. We see what the raw data looks like but what is wrong with them?
Hi Woodcook , i m trying to parse the xml log using the given props.conf. with BREAK_ONLY_BEFORE=AUDIT_RECORD ,
I m trying to provide sample xml log here in my post, but its nt getting posted as i see in preview.
Be sure that you don't have a local version of props.conf. If you do, it will take precedence over the version you are pushing out and override any settings there.
Hi Codebuilder , I have removed all the files from local folder.
What else can be the issue ?
If you had a local version of props.conf and removed it, then you'll likely need to cycle your search head or SHC. Then re-test.
sample xml log :
Query
0
0
1
set
S
Query
0
0
1
set
S
and events i m able to see are
event1
Query
0
0
1
set
S
event2
Query
0
0
1
set
S