Archive

Splunk chews XML Input

Explorer

Hello there,
I have a number of applications that I want to log to Splunk. I will be sending the data in an XML format via a UDP listener. The data that is being sent looks like:

<log4j:event logger="ASP.global_asax" level="INFO" timestamp="1303830487907" thread="15"><log4j:message>New session started</log4j:message><log4j:properties><log4j:data name="log4japp" value="4ef113dd-9-129483040292873753(4644)" /><log4j:data name="log4jmachinename" value="W7-SUN-JSTANTON" /></log4j:properties></log4j:event>

However when it is processed by Splunk it appears like:

`Apr 26 16:18:09 127.0.0.1 log4j:messageNew session started/log4j:messagelog4j:properties/log4j:properties/log4j:event

Basically it looks like Splunk looks like it has overwritten the opening node, and as a result lossing the log level data, with the datetime that it received it. The applications that are sending it are using nLog with a log4j type target (with an Log4JXmlEventLayout layout). I have configured the sourcetype as log4jxml (custom name) but I think I need to tell it not to do something with the date/time field in the props.conf file (but not too sure what that something is).

I am also using the windows version of Splunk so the file paths are slightly different to the online manuals.

Any help would be most welcome.

Kind regards

Jonathan

Tags (1)
0 Karma
1 Solution

Builder

If you don't want the date and IP appended, add the following to your inputs.conf:

no_priority_stripping = true
no_appending_timestamp = true

Splunk defaults these values to false, telling splunk to strip the first field in <> and then append the host IP and the date to the event.

Hope this helps!

View solution in original post

Builder

If you don't want the date and IP appended, add the following to your inputs.conf:

no_priority_stripping = true
no_appending_timestamp = true

Splunk defaults these values to false, telling splunk to strip the first field in <> and then append the host IP and the date to the event.

Hope this helps!

View solution in original post

Explorer

Thanks for this. I have also learnt that you have to put the files in the directory C:\Program Files\Splunk\etc\apps\search\local and NOT C:\Program Files\Splunk\etc\system\local doh

0 Karma