- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Why are we unable to parse XML log in a cluste...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are we unable to parse XML log in a clustered environment?
Sorry to post another xml parsing post, I checked most of the Answers related to similar question as this but nothing seems to work.
I am trying to parse xml log in a clustered environment.
4 indexers 3 heavy forwarders 1 deployment server
sample xml log :
Query
0
0
1
set
S
Query
0
0
1
set
S
Props.conf file:
[sample]
kv_mode=xml
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=UTF-8
disabled=false
inputs.conf:
[monitor:///var/log/sample.xml]
index=sample
sourcetype=sample
I m using /opt/splunk/bin/splunk reload deploy-server command to deploy changes and restart ,In heavy forwarders files are getting updated as well.
But whatever changes i am making to props.conf the xml events in splunk is not changing and parsing as below.
event1
Query
0
0
1
set
S
event 2
Query
0
0
1
set
S
PS : I have copied props.conf from splunk console when i tried to upload data manually .
Can someone please figure out what is the issue here. Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes no sense. The events that you posted are not XML. Are those really your events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a good start but you have not told us anything about what you are trying to change. We see what the raw data looks like but what is wrong with them?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Woodcook , i m trying to parse the xml log using the given props.conf. with BREAK_ONLY_BEFORE=AUDIT_RECORD ,
I m trying to provide sample xml log here in my post, but its nt getting posted as i see in preview.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Be sure that you don't have a local version of props.conf. If you do, it will take precedence over the version you are pushing out and override any settings there.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Codebuilder , I have removed all the files from local folder.
What else can be the issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you had a local version of props.conf and removed it, then you'll likely need to cycle your search head or SHC. Then re-test.
An upvote would be appreciated and Accept Solution if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample xml log :
Query
0
0
1
set
S
Query
0
0
1
set
S
and events i m able to see are
event1
Query
0
0
1
set
S
event2
Query
0
0
1
set
S
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
