Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

xml logs are terminated half way before end of log.

smudge797
Path Finder
‎07-29-2013 06:34 AM

We have a log which is being indexed ok to start with, however splunk stops reading it when only half has been indexed. the log is 4.6MB and XML format.

In data previewer:
500 events read
Bytes = 4,535,856
Events = 2,877 (about half)

Tags (3)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎08-06-2013 07:56 AM

You're probably triggering MAX_EVENTS in stitching the lines back together. By default Splunk breaks on newlines, then attempts to "linemerge" the lines back into the context of the main event (consider a stack trace with multiple lines...). The default behavior is to only seam together 257 (the original + 256 more) lines in this way. It's more efficient if you can tell Splunk "yo, just consume the whole file" rather than that split + recombine behavior.

For a file that is an entire, complete and single XML document, I'd suggest to set the LINE_BREAKER to "just grab everything" ^()$ and disable the linemerging functionality with SHOULD_LINEMERGE=false.

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎08-04-2013 11:43 PM

Just to be clear... you're offering statistics from the data previewer, but you don't mean that do you? Splunk only previews a sub section of the data, not the whole file. You're talking about Splunk not actually indexing the whole file correct... not just that it's only previewing half.

If it has stopped reading the file before the file ends, there should be some reason for stopping indicated in the splunkd.log since Splunk will be taking action on the index.
TRUNCATE will come into play only if Splunk is suddenly seeing one big line for some reason...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

linu1988
Champion
‎08-04-2013 10:57 PM

Could you add TRUNCATE=0 in props.conf?

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎08-04-2013 10:33 PM

check the splunkd.log
$SPLUNK_HOME/var/log/splunk/splunkd.log
there might be something interesting in there...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...