topic Re: Define custom sourcetype XML in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Define-custom-sourcetype-XML/m-p/237727#M46184 <P>Give this a try (props.conf on Indexer/Heavy forwarder)</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=(\&lt;\?xml[^\?]+\?\&gt;) TIME_PREFIX=Time\s*\&gt; TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%N </CODE></PRE> Tue, 08 Mar 2016 18:25:41 GMT somesoni2 2016-03-08T18:25:41Z Define custom sourcetype XML https://community.splunk.com/t5/Getting-Data-In/Define-custom-sourcetype-XML/m-p/237726#M46183 <P>I'm trying to define a custom sourcetype. I have one file with multiple XML files.</P> <P>For example MyFile.xml:</P> <PRE><CODE>&lt;?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?&gt;&lt;DATA&gt; &lt;Time&gt;2016-02-12T00:00:00.211Z&lt;/Time&gt; &lt;Item&gt; &lt;ID&gt;1545454&lt;/ID&gt; &lt;VAR1&gt;897654564dDJUHFKHJHEU&lt;/VAR1&gt; &lt;/Item&gt; &lt;Check&gt;OK&lt;/Check&gt; &lt;/DATA&gt; &lt;?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?&gt;&lt;DATA&gt; &lt;Time&gt;2016-02-12T00:00:00.211Z&lt;/Time&gt; &lt;Item&gt; &lt;ID&gt;456849836848&lt;/ID&gt; &lt;VAR5&gt;78964DFDFli_DFDFD_DFDF&lt;/VAR5&gt; &lt;/Item&gt; &lt;Check&gt;FAILD&lt;/Check&gt; &lt;/DATA&gt; &lt;?xml version = '1.0' encoding = 'UTF-8'?&gt;&lt;LOG&gt; &lt;Send&gt;FKK_64646464&lt;/Send&gt; &lt;TimestampSend&gt;2016-02-08T04:44:53.417Z&lt;/TimestampSend&gt; &lt;By&gt;MFF_5687654&lt;/By&gt; &lt;MessageId&gt;Title Test&lt;/MessageId&gt; &lt;Message&gt; &lt;Resp&gt; &lt;EventTime&gt;2016-02-08T04:44:53.418Z&lt;/EventTime&gt; &lt;Info&gt; &lt;Item&gt; &lt;Id&gt;INFO_222&lt;/Id&gt; &lt;/Item&gt; &lt;Description&gt; &lt;Id&gt;BCC_456&lt;/Id&gt; &lt;ByID&gt;45&lt;/ByID&gt; &lt;/Description&gt; &lt;/Info&gt; &lt;Status&gt;404&lt;/Status&gt; &lt;/Resp&gt; &lt;/Message&gt; &lt;/LOG&gt; &lt;?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?&gt;&lt;DATA&gt; &lt;Time&gt;2016-02-12T00:00:00.211Z&lt;/Time&gt; &lt;Item&gt; &lt;ID&gt;45454545&lt;/ID&gt; &lt;VAR88&gt;LJDKI_DFDFDF_DFDFDF_EJRHUHEJK&lt;/VAR88&gt; &lt;/Item&gt; &lt;Check&gt;WARNING&lt;/Check&gt; &lt;/DATA&gt; &lt;?xml version = '1.0' encoding = 'UTF-8'?&gt;&lt;LOG&gt; &lt;Send&gt;FKK_64646465&lt;/Send&gt; &lt;TimestampSend&gt;2016-02-08T04:48:53.417Z&lt;/TimestampSend&gt; &lt;By&gt;MFF_5687655&lt;/By&gt; &lt;MessageId&gt;Title Test&lt;/MessageId&gt; &lt;Message&gt; &lt;Resp&gt; &lt;EventTime&gt;2016-02-08T04:48:53.418Z&lt;/EventTime&gt; &lt;Info&gt; &lt;Item&gt; &lt;Id&gt;INFO_223&lt;/Id&gt; &lt;/Item&gt; &lt;Description&gt; &lt;Id&gt;BCC_457&lt;/Id&gt; &lt;ByID&gt;46&lt;/ByID&gt; &lt;/Description&gt; &lt;/Info&gt; &lt;Status&gt;404&lt;/Status&gt; &lt;/Resp&gt; &lt;/Message&gt; &lt;/LOG&gt; </CODE></PRE> <P>My props.conf</P> <PRE><CODE>[mysourcetype] DATETIME_CONFIG = CURRENT KV_MODE = xml LINE_BREAKER = (&lt;?xml) NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false TRUNCATE = 0 pulldown_type = 1 </CODE></PRE> <P>How can I set the LINE_BREAKER by "&lt;?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?&gt;"<BR /> Is there a way te set the DATETIME to or with regex?<BR /> What did I do wrong?</P> Tue, 08 Mar 2016 11:56:20 GMT https://community.splunk.com/t5/Getting-Data-In/Define-custom-sourcetype-XML/m-p/237726#M46183 raymondc 2016-03-08T11:56:20Z Re: Define custom sourcetype XML https://community.splunk.com/t5/Getting-Data-In/Define-custom-sourcetype-XML/m-p/237727#M46184 <P>Give this a try (props.conf on Indexer/Heavy forwarder)</P> <PRE><CODE>[yoursourcetype] SHOULD_LINEMERGE=true LINE_BREAKER=(\&lt;\?xml[^\?]+\?\&gt;) TIME_PREFIX=Time\s*\&gt; TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%N </CODE></PRE> Tue, 08 Mar 2016 18:25:41 GMT https://community.splunk.com/t5/Getting-Data-In/Define-custom-sourcetype-XML/m-p/237727#M46184 somesoni2 2016-03-08T18:25:41Z