https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131708#M27094 <P>This is one event you have or you want to break these into separate entries?</P> Fri, 19 Sep 2014 01:39:02 GMT somesoni2 2014-09-19T01:39:02Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131707#M27093 <P>I am trying to break these into separate events and have tried everything and its just not working</P> <PRE><CODE>&lt; sale id="1012128864" reportGroup="asdasd" customerId="7412213255" &gt; &lt; orderId&gt;101221348864 &lt; /orderId &gt; &lt; amount&gt;1999 &lt; /amount &gt; &lt; orderSource &gt;ecommerce &lt; /orderSource &gt; &lt; token &gt; &lt;litleToken &gt;8888888888888 &lt; /litleToken &gt; &lt; expDate &gt;1120 &lt; /expDate &gt; &lt; /token &gt; &lt; / sale &gt; </CODE></PRE> <P>props.conf are </P> <PRE><CODE>[custom_sourcetype] BREAK_ONLY_BEFORE_DATE = false BREAK_ONLY_BEFORE = \ SHOULD_LINEMERGE = true </CODE></PRE> Fri, 19 Sep 2014 00:52:25 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131707#M27093 Cuyose 2014-09-19T00:52:25Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131708#M27094 <P>This is one event you have or you want to break these into separate entries?</P> Fri, 19 Sep 2014 01:39:02 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131708#M27094 somesoni2 2014-09-19T01:39:02Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131709#M27095 <P>Sorry, yes this is an example of a single event, with many others formatted the same. No matter what I try, it won't break them up.</P> Fri, 19 Sep 2014 03:13:27 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131709#M27095 Cuyose 2014-09-19T03:13:27Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131710#M27096 <P>This works for me with your sample data.</P> <P>props.conf are</P> <PRE><CODE>[custom_sourcetype] BREAK_ONLY_BEFORE = \&lt;\s*sale\s MUST_BREAK_AFTER = \&lt;\s*/sale\s*\&gt; BREAK_ONLY_BEFORE_DATE = false DATETIME_CONFIG = CURRENT NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = true pulldown_type = 1 </CODE></PRE> Fri, 19 Sep 2014 03:38:52 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131710#M27096 somesoni2 2014-09-19T03:38:52Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131711#M27097 <P>Kindly share couple of more <BR /> _raw logs from log file..</P> Fri, 19 Sep 2014 03:49:46 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131711#M27097 neelamssantosh 2014-09-19T03:49:46Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131712#M27098 <P>Odd this still doesn't work for me. I must have doe setting somewhere overriding this. Any ideas where it might be? The props.conf I am editing is definitely the etc/system/local.props.conf</P> Fri, 19 Sep 2014 14:11:08 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131712#M27098 Cuyose 2014-09-19T14:11:08Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131713#M27099 <P>It won't seem to let me upload the file, but literally there are just a bunch of blocks like this that are exactly the same with different element values. No timestamps</P> Fri, 19 Sep 2014 15:09:48 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131713#M27099 Cuyose 2014-09-19T15:09:48Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131714#M27100 <P>The only thing that overrides etc/system/local would be if you're using a clustered indexing setup, with custom rules pushed by the cluster master to the indexer peers. So unless you're in a cluster, system/local/props.conf is the king of the hill.</P> Fri, 19 Sep 2014 16:52:43 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131714#M27100 sowings 2014-09-19T16:52:43Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131715#M27101 <P>Hmm, im stumped then, because we definitely aren't doing that. Ill keep working on it.</P> Fri, 19 Sep 2014 17:01:23 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-break-xml-without-timestamp/m-p/131715#M27101 Cuyose 2014-09-19T17:01:23Z