I have an XML file I want to bring into splunk as a single event. It is the equivalent of an Excel file. The props.conf is set as:
[excelxml]
SHOULD_LINEMERGE = true
TRUNCATE = 0
MAX_EVENTS = 500000
TIME_PREFIX = \
TIME_FORMAT = %d:%m:%Y:%h:%m:%s
This does result in an event that matches the file, and it has the correct timestamp. But I also get another event with some of the row data in it.
The event I want shows all the data. The event I don't want starts at the first tag.
I suspect that some default xml processing is breaking out the row data, but I am not sure how to suppress this. Any hints appreciated.
Thanks
... View more