OK, I have a puzzling issue....
I have a simple input script that sends a POST request and gets back an XML reply as input
This works just fine and I am getting back fine about 100 XML lines that I am able to extract and chart in Splunk
However I encountered a strange behaviour that I can only describe as follows:
- if one of the XML response tags is
- it's not that it breaks the event - it will actually terminate it (everything else after is gone)
I tried with multiple input XMLs but they all behave the same - as soon as a
So I am at a loss at this point. Any clue why this is happening and how can I get around it?
Here's the event as recorded by Splunk:
**» 3/27/13 10:36:28.000 AM
<?xml version="1.0" encoding="UTF-8"?>
host=CS1DPIST Options|
sourcetype=datapower Options|
source=E:\Splunk\etc\apps\datapower\bin\datapower_ist_sys.cmd
And here's the full sample script output if ran from command line:
<?xml version="1.0" encoding="UTF-8"?>
env:Body
dp:timestamp2013-03-27T10:38:36-04:00/dp:timestamp
dp:status
/dp:status
/dp:response
/env:Body
/env:Envelope*
Splunk sees another date, and is likely therefore interpreting it as a new event. You'll have to update your props.conf for this sourcetype to reflect a TIME_FORMAT, probably TIME_PREFIX, and likely a MAX_TIMESTAMP_LOOKAHEAD as well.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
Excellent. That was it. I disabled the sucker for this sourcetype (DATETIME_CONFIG = NONE) and is all good now Thanks man!