Dashboards & Visualizations

Event dropped after "build" XML tag in input

Ovi
Path Finder

OK, I have a puzzling issue....
I have a simple input script that sends a POST request and gets back an XML reply as input
This works just fine and I am getting back fine about 100 XML lines that I am able to extract and chart in Splunk
However I encountered a strange behaviour that I can only describe as follows:
- if one of the XML response tags is , Splunk will drop everything else after that
- it's not that it breaks the event - it will actually terminate it (everything else after is gone)

I tried with multiple input XMLs but they all behave the same - as soon as a tag is present the rest is dropped. Otherwise everything works fine

So I am at a loss at this point. Any clue why this is happening and how can I get around it?

Here's the event as recorded by Splunk:

**» 3/27/13 10:36:28.000 AM

<?xml version="1.0" encoding="UTF-8"?>
env:Bodydp:timestamp2013-03-27T10:36:28-04:00/dp:timestampdp:status
6803467
XI52.5.0.0.5
223327
host=CS1DPIST Options|

sourcetype=datapower Options|

source=E:\Splunk\etc\apps\datapower\bin\datapower_ist_sys.cmd
*

And here's the full sample script output if ran from command line:

<?xml version="1.0" encoding="UTF-8"?>

env:Body

dp:timestamp2013-03-27T10:38:36-04:00/dp:timestamp
dp:status
6803467
XI52.5.0.0.5
223327
2013/01/15 14:47:52
XI52.5.0.0.5
XI52.5.0.0.5
XI52.5.0.0.5
embedded
7199
42X

/dp:status
/dp:response
/env:Body
/env:Envelope*

Tags (1)
0 Karma

sowings
Splunk Employee
Splunk Employee

Splunk sees another date, and is likely therefore interpreting it as a new event. You'll have to update your props.conf for this sourcetype to reflect a TIME_FORMAT, probably TIME_PREFIX, and likely a MAX_TIMESTAMP_LOOKAHEAD as well.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

0 Karma

Ovi
Path Finder

Excellent. That was it. I disabled the sucker for this sourcetype (DATETIME_CONFIG = NONE) and is all good now Thanks man!

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...