https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89193#M97295 <P>If you don't want the date and IP appended, add the following to your inputs.conf:</P> <PRE><CODE>no_priority_stripping = true no_appending_timestamp = true </CODE></PRE> <P>Splunk defaults these values to false, telling splunk to strip the first field in &lt;&gt; and then append the host IP and the date to the event.</P> <P>Hope this helps!</P> Tue, 26 Apr 2011 16:44:16 GMT bbingham 2011-04-26T16:44:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89192#M97294 <P>Hello there,<BR /> I have a number of applications that I want to log to Splunk. I will be sending the data in an XML format via a UDP listener. The data that is being sent looks like:</P> <P><CODE>&lt;log4j:event logger="ASP.global_asax" level="INFO" timestamp="1303830487907" thread="15"&gt;&lt;log4j:message&gt;New session started&lt;/log4j:message&gt;&lt;log4j:properties&gt;&lt;log4j:data name="log4japp" value="4ef113dd-9-129483040292873753(4644)" /&gt;&lt;log4j:data name="log4jmachinename" value="W7-SUN-JSTANTON" /&gt;&lt;/log4j:properties&gt;&lt;/log4j:event&gt;</CODE></P> <P>However when it is processed by Splunk it appears like:</P> <P>`Apr 26 16:18:09 127.0.0.1 <A href="log4j:message">log4j:message</A>New session started<A href="https://answers.splunk.comlog4j:message">/log4j:message</A><A href="log4j:properties">log4j:properties</A><DATA name="log4japp" value="4ef113dd-9-129483040292873753(4644)"></DATA><DATA name="log4jmachinename" value="W7-SUN-JSTANTON"></DATA><A href="https://answers.splunk.comlog4j:properties">/log4j:properties</A><A href="https://answers.splunk.comlog4j:event">/log4j:event</A></P> <P>Basically it looks like Splunk looks like it has overwritten the opening node, and as a result lossing the log level data, with the datetime that it received it. The applications that are sending it are using nLog with a log4j type target (with an Log4JXmlEventLayout layout). I have configured the sourcetype as log4jxml (custom name) but I think I need to tell it not to do something with the date/time field in the props.conf file (but not too sure what that something is).</P> <P>I am also using the windows version of Splunk so the file paths are slightly different to the online manuals.</P> <P>Any help would be most welcome.</P> <P>Kind regards</P> <P>Jonathan</P> Tue, 26 Apr 2011 15:52:06 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89192#M97294 ac931274 2011-04-26T15:52:06Z https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89193#M97295 <P>If you don't want the date and IP appended, add the following to your inputs.conf:</P> <PRE><CODE>no_priority_stripping = true no_appending_timestamp = true </CODE></PRE> <P>Splunk defaults these values to false, telling splunk to strip the first field in &lt;&gt; and then append the host IP and the date to the event.</P> <P>Hope this helps!</P> Tue, 26 Apr 2011 16:44:16 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89193#M97295 bbingham 2011-04-26T16:44:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89194#M97296 <P>Thanks for this. I have also learnt that you have to put the files in the directory C:\Program Files\Splunk\etc\apps\search\local and NOT C:\Program Files\Splunk\etc\system\local <EM>doh</EM></P> Tue, 26 Apr 2011 18:01:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-chews-XML-Input/m-p/89194#M97296 ac931274 2011-04-26T18:01:25Z