Hi all,
I have an XML log file that looks something like this.
<matrix>
<datasource>
<name>ABC</name>
</datasource>
<datasource>
<name>XYZ</name>
</datasource>
<datasource>
<name>EFG</name>
</datasource>
<datasource>
<name>RST</name>
</datasource>
</matrix>
Basically, this is one big file that updates itself every 5 minutes and should be
read as a single entry for each refresh. Unfortunately, Splunk reads that
seperately and chops them up when parsing.
Is there a way to tell Splunk that it should read from
for each event?
Yes there is and can be done in two ways.
http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
No, because props.conf
is organized into stanzas. The stanza header says which object (source, sourcetype or host) will be affected by the settings.
if by using (2), it says "When set, Splunk creates a new event only if it encounters a new line that matches the
regular expression.". Would that mean my other logs (which are not configured this way) will be impacted someway?