Let me first preface this by saying that I am a total Splunk newbie and this is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.
Here is a sample of my XML file:
<?xml version="1.0" encoding="utf-8"?>
<Customers>
<customer>
<customerName>SampleCustomer1</customerName>
<siteName>Main</siteName>
<lastUpdated>8/10/2015 8:09:51 AM</lastUpdated>
<alarmedState>False</alarmedState>
<updateFrequency>45</updateFrequency>
<pointsNotCommunicating>
<pointNotCommunicating>SamplePoint1@2015-07-02 17:07:00</pointNotCommunicating>
<totalNotCommunicating>1</totalNotCommunicating>
</pointsNotCommunicating>
<ClientIsUp>true</ClientIsUp>
</customer>
<customer>
<customerName>SampleCustomer2</customerName>
<siteName>Main</siteName>
<lastUpdated>8/10/2015 8:27:57 AM</lastUpdated>
<alarmedState>False</alarmedState>
<updateFrequency>30</updateFrequency>
<pointsNotCommunicating>
<totalNotCommunicating>0</totalNotCommunicating>
</pointsNotCommunicating>
<ClientIsUp>true</ClientIsUp>
</customer>
</Customers>
First: What I did was create a new file called props.conf in my splunk directory under .../etc/system/local because there wasn't a props.conf file there. Here is the entire contents of my props.conf file:
[source::C:\\Program Files (x86)\\SkySparkServer\\serverStatus.xml]
sourcetype: SkySparkLog
[SkySparkLog]
KV_MODE=xml
TIME_PREFIX = <lastUpdated>
TIME_FORMAT = %m\/%d\/%Y %I:%M:%S
SHOULD_LINEMERGE = true
MUST_NOT_BREAK_BEFORE = \</pointsNotCommunicating\>
MUST_BREAK_AFTER = \</customer\>
TRUNCATE = 0
Is this the proper method and if so, am I doing something wrong in my props.conf file?
Thanks for the help.
... View more