topic change sourcetype to XML in Getting Data In

change sourcetype to XML

amal4885 — Fri, 21 Aug 2015 07:39:46 GMT

I'm on Splunk 6.2 at the moment.
I've specified a folder to monitor to collect NPS logs from a Windows 2012 server.
The files are stored as .log but the content is XML. So the fields aren't getting extracted properly.

How do I force the Universal forwarder to specify the data as XML?

Re: change sourcetype to XML

jeffland — Fri, 21 Aug 2015 07:45:40 GMT

How did you define your data input? Did you specify KV_MODE = xml for the sourcetype?

Re: change sourcetype to XML

amal4885 — Wed, 26 Aug 2015 02:05:13 GMT

I don't believe I have.

So is it just a matter of adding the following lines props.conf on the server?

[source::.../mylogs/*.log]
KV_MODE = xml

Re: change sourcetype to XML

bmacias84 — Tue, 29 Sep 2020 07:07:40 GMT

Dont forget you will probably have to specify the BREAK_ONLY, BREAK_BEFORE, BREAK_AFTER settings within the stanza for the sourcetype to prevent it from being a giant blog.

Re: change sourcetype to XML

amal4885 — Wed, 26 Aug 2015 02:48:17 GMT

By the way this is one of the lines from my log file

<Event><Timestamp data_type="4">08/18/2015 17:22:56.609</Timestamp><Computer-Name data_type="1">NUCLEUS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Session-Id data_type="2">7282B03F</Acct-Session-Id><Packet-Type data_type="0">4</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

 [source::.../mylogs/*.log]
TIME_PREFIX = \Timestamp data_type="4">
BREAK_ONLY_BEFORE = ^<Event>
SHOULD_LINEMERGE = False
MUST_BREAK_AFTER = \/Event>

Re: change sourcetype to XML

jeffland — Wed, 26 Aug 2015 07:00:18 GMT

I don't think this would work - you specified SHOULD_LINEMERGE = false but specified your line breaking settings via line merging options. Either use SHOULD_LINEMERGE = false with LINE_BREAKER = regex, something like

LINE_BREAKER = ([\r\n]+)<Event>

in your case, or use SHOULD_LINEMERGE = true with any of the other line breaking settings such as BREAK_ONLY_BEFORE or MUST_BREAK_AFTER (see props.conf and search for SHOULD_LINEMERGE for details).
You can verify your settings by using the "Add Data" wizard with one of your files (go to Settings -> Add Data -> Upload). This will show you the effect of the settings on your data before indexing it.

Re: change sourcetype to XML

amal4885 — Thu, 27 Aug 2015 00:43:12 GMT

Perfect.. that helped.