Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event dropped after "build" XML tag in input

Ovi
Path Finder
‎03-27-2013 07:58 AM

OK, I have a puzzling issue....
I have a simple input script that sends a POST request and gets back an XML reply as input
This works just fine and I am getting back fine about 100 XML lines that I am able to extract and chart in Splunk
However I encountered a strange behaviour that I can only describe as follows:
- if one of the XML response tags is , Splunk will drop everything else after that
- it's not that it breaks the event - it will actually terminate it (everything else after is gone)

I tried with multiple input XMLs but they all behave the same - as soon as a tag is present the rest is dropped. Otherwise everything works fine

So I am at a loss at this point. Any clue why this is happening and how can I get around it?

Here's the event as recorded by Splunk:

**» 3/27/13 10:36:28.000 AM

<?xml version="1.0" encoding="UTF-8"?>
env:Bodydp:timestamp2013-03-27T10:36:28-04:00/dp:timestampdp:status
6803467
XI52.5.0.0.5
223327
host=CS1DPIST Options|

sourcetype=datapower Options|

source=E:\Splunk\etc\apps\datapower\bin\datapower_ist_sys.cmd*

And here's the full sample script output if ran from command line:

<?xml version="1.0" encoding="UTF-8"?>

env:Body

dp:timestamp2013-03-27T10:38:36-04:00/dp:timestamp
dp:status
6803467
XI52.5.0.0.5
223327
2013/01/15 14:47:52
XI52.5.0.0.5
XI52.5.0.0.5
XI52.5.0.0.5
embedded
7199
42X
/dp:status
/dp:response
/env:Body
/env:Envelope*

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎03-27-2013 08:19 AM

Splunk sees another date, and is likely therefore interpreting it as a new event. You'll have to update your props.conf for this sourcetype to reflect a TIME_FORMAT, probably TIME_PREFIX, and likely a MAX_TIMESTAMP_LOOKAHEAD as well.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

0 Karma
Reply

Ovi
Path Finder
‎03-27-2013 09:14 AM

Excellent. That was it. I disabled the sucker for this sourcetype (DATETIME_CONFIG = NONE) and is all good now Thanks man!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...