Good day everyone!
I have the following config in props so that it creates a new event only if it encounters a new line with a date but the logs are still being break down into several events.
[sourcetype]
TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N
MAX_TIMESTAMP_LOOKAHEAD = 25
BREAK_ONLY_BEFORE_DATE = true
SHOULD_LINEMERGE = True
MAX_EVENTS = 10000
Am I missing something, ie adding TRUNCATE = 100000 (or to higher value) ? Or is there any specific parameter to add in props for xml kind of log?
See sample logs below.
"===================" denotes new events created in Splunk
2015-05-01 11:03:00,818 INFO [HTTP Handler 10.241.43.96] appName=CSAccountTransactionEntSvc.findTransactions|service=CSAccountTransactionEntSvc.provider.ws.v1.CSAccountTransactionEntSvc_.services.findTransactions|event=End Audit|AuditTrackingID=XXXXXXX|AccountID=XXXXXXX|user=Tester
<?xml version="1.0"?>
<applicationName>CSAccountTransactionEntSvc.findTransactions</applicationName>
<eventName>End Audit</eventName>
<level>INFO</level>
<content>
<document>
<AuditHeader>
<Message>
<AuditTrackingID>XXXXXXX</AuditTrackingID>
<OperationName>findTransactions</OperationName>
<CreationDateTime>2014-06-29T23:20:56Z</CreationDateTime>
<ServiceVersion>1.1</ServiceVersion>
<Organisation>MBL</Organisation>
</Message>
<OperationInitiator>
<System>Online</System>
<Component>Comp</Component>
<User>Tester</User>
</OperationInitiator>
<MessageInitiator>
<System>Online</System>
</MessageInitiator>
</AuditHeader>
<StatusLog>
<MaxItemStatus>Error</MaxItemStatus>
<Item>
<Status>Error</Status>
<Type>Technical Error</Type>
<Code>ESB_E1000</Code>
<Description>Exception Occured - [ISC.0049.9010] Service 'CSAccountTransactionEntSvc.operation.findTransactions.pub:findTransactions' invoking unknown service 'ESBCommonUtilsEnablerSvc.pub.statusLog:mapStatusLogFromValidationErrors' at 'Transformer ESBCommonUtilsEnablerSvc.pub.statusLog:mapStatusLogFromValidationErrors'. The service may have been renamed, moved or disabled. ; Error Source - CSAccountTransactionEntSvc.provider.ws.v1.CSAccountTransactionEntSvc_.services:findTransactions</Description>
<System>ESB</System>
</Item>
</StatusLog>
</document>
</content>
<identifiers>
<id1>
<idType>AuditTrackingID</idType>
<idValue>XXXXXXX</idValue>
</id1>
<id2>
<idType>AccountID</idType>
<idValue>XXXXXXX</idValue>
</id2>
</identifiers>
<extendedAttributes>
<applicationServerName>Online</applicationServerName>
<applicationTimestamp>2014-06-29T23:20:56Z</applicationTimestamp>
<applicationTimestampPattern>yyyy-MM-dd'T'hh:mm:ss.S'Z'</applicationTimestampPattern>
<serviceName>CSAccountTransactionEntSvc.provider.ws.v1.CSAccountTransactionEntSvc_.services:findTransactions</serviceName>
==================================================
</id2>
</identifiers>
<extendedAttributes>
<applicationServerName>Online</applicationServerName>
<applicationTimestamp>2014-06-29T23:20:56Z</applicationTimestamp>
<applicationTimestampPattern>yyyy-MM-dd'T'hh:mm:ss.S'Z'</applicationTimestampPattern>
<serviceName>CSAccountTransactionEntSvc.provider.ws.v1.CSAccountTransactionEntSvc_.services:findTransactions</serviceName>
<user>Tester</user>
</extendedAttributes>
==================================================
</RangeList>
<SearchItemList>
<SearchItem>
<ItemType>
<Code>TxnStatus</Code>
<Name></Name>
</ItemType>
<ItemValue>Posted</ItemValue>
</SearchItem>
</SearchItemList>
</FindTransactionsInSearchCriteria>
</FindTransactionsInput>
</document>
<extendedDocument>
<AuditHeader>
<Message>
<AuditTrackingID>XXXXXXX</AuditTrackingID>
<OperationName>findTransactions</OperationName>
<CreationDateTime>2014-06-29T23:20:56Z</CreationDateTime>
<ServiceVersion>1.1</ServiceVersion>
<Organisation>MBL</Organisation>
</Message>
<OperationInitiator>
<System>Online</System>
<Component>Comp</Component>
<User>Tester</User>
</OperationInitiator>
<MessageInitiator>
<System>Online</System>
</MessageInitiator>
</AuditHeader>
<StatusLog>
<MaxItemStatus>Error</MaxItemStatus>
<Item>
<Status>Error</Status>
<Type>Technical Error</Type>
<Code>ESB_E1000</Code>
<Description>Exception Occured - [ISC.0049.9010] Service 'CSAccountTransactionEntSvc.operation.findTransactions.pub:findTransactions' invoking unknown service 'ESBCommonUtilsEnablerSvc.pub.statusLog:mapStatusLogFromValidationErrors' at 'Transformer ESBCommonUtilsEnablerSvc.pub.statusLog:mapStatusLogFromValidationErrors'. The service may have been renamed, moved or disabled. ; Error Source - CSAccountTransactionEntSvc.provider.ws.v1.CSAccountTransactionEntSvc_.services:findTransactions</Description>
<System>ESB</System>
</Item>
</StatusLog>
</extendedDocument>
</content>
<identifiers>
<id1>
<idType>AuditTrackingID</idType>
<idValue>XXXXXXX</idValue>
</id1>
<id2>
<idType>AccountID</idType>
<idValue>XXXXXXX</idValue>
==================================================
<ServiceVersion>1.1</ServiceVersion>
<Organisation>MBL</Organisation>
</Message>
<OperationInitiator>
<System>Online</System>
<Component>Comp</Component>
<User>Tester</User>
</OperationInitiator>
<MessageInitiator>
<System>Online</System>
</MessageInitiator>
</AuditHeader>
<FindTransactionsInput>
<FindTransactionsInAccount>
<AccountBase>
<AccountID>XXXXXXXXXXXXX</AccountID>
<CountryCode>AU</CountryCode>
<AccountNo>XXXXXXXXX</AccountNo>
<BSBNo>XXXXXX</BSBNo>
<CurrencyCode>AUD</CurrencyCode>
<AccountName>XXXXXXX</AccountName>
<AccountShortName>XXXXX</AccountShortName>
<SourceSystem>SAP</SourceSystem>
</AccountBase>
</FindTransactionsInAccount>
<FindTransactionsInSearchCriteria>
<IndicatorList>
<Indicator>
<IndicatorType>
<Code>RunningBalance</Code>
<Name></Name>
</IndicatorType>
<IndicatorValue>Y</IndicatorValue>
</Indicator>
<Indicator>
<IndicatorType>
<Code>AccountBalances</Code>
<Name></Name>
</IndicatorType>
<IndicatorValue>Y</IndicatorValue>
</Indicator>
</IndicatorList>
<MaxResults>10</MaxResults>
<RangeList>
<Range>
<RangeType>
<Code>Amount</Code>
</RangeType>
<LowerValue>100.00</LowerValue>
<UpperValue>10.00</UpperValue>
</Range>
==================================================
<System>Online</System>
<Component>Comp</Component>
<User>Tester</User>
</OperationInitiator>
<MessageInitiator>
<System>Online</System>
</MessageInitiator>
</AuditHeader>
<FindTransactionsInput>
<FindTransactionsInAccount>
<AccountBase>
<AccountID>XXXXXXXXXXXXX</AccountID>
<CountryCode>AU</CountryCode>
<AccountNo>XXXXXXXXX</AccountNo>
<BSBNo>XXXXXX</BSBNo>
<CurrencyCode>AUD</CurrencyCode>
<AccountName>XXXXXXX</AccountName>
<AccountShortName>XXXXX</AccountShortName>
<SourceSystem>SAP</SourceSystem>
</AccountBase>
</FindTransactionsInAccount>
<FindTransactionsInSearchCriteria>
<IndicatorList>
<Indicator>
<IndicatorType>
<Code>RunningBalance</Code>
<Name></Name>
</IndicatorType>
<IndicatorValue>Y</IndicatorValue>
</Indicator>
<Indicator>
<IndicatorType>
<Code>AccountBalances</Code>
<Name></Name>
</IndicatorType>
<IndicatorValue>Y</IndicatorValue>
</Indicator>
</IndicatorList>
<MaxResults>10</MaxResults>
<RangeList>
<Range>
<RangeType>
<Code>Amount</Code>
</RangeType>
<LowerValue>100.00</LowerValue>
<UpperValue>10.00</UpperValue>
</Range>
</RangeList>
<SearchItemList>
<SearchItem>
<ItemType>
... View more