Hi, novice splunker here.
I'm having an issue in getting all the timestamps correctly parsed from the DATE and TIME fields of a given xml log.
That xml log contains exactly 68 short records of dummy client transactions. Some are parsed correctly, some incorrectly.
props.conf:
[xml_log]
TIME_PREFIX = <DATE>
TIME_FORMAT = %d%m%Y</DATE>%n<TIME>%H%M%S
SHOULD_LINEMERGE = false
LINE_BREAKER = (<\/LOG>)
REPORT-xmlext = xml-ex
It seems also that LINE_BREAKER excludes ending part of the log or '< / LOG>' since it's missing/hidden from the event listing as illustrated in screenshots above. Thank you for the kind help.
... View more