Hi,
We just started working on Splunk. We have a single log file with multiple XMLs with line breaker #######################
as below (Build with same schema). We need some help on configuring XML tags as search parameter.
<?xml version='1.0'?>
<Log>
<HOST>127.0.0.1</HOST>
<DATE>10-04-2016T12:12:12</DATE>
<TRANSACTIONID>OpportunityId</TRANSACTIONID>
<TRANSACTIONVALUE>dsd767dsdkXSAre</TRANSACTIONVALUE>
<APPLICATION>QuoteSync</Application>
</Log>
#######################
<?xml version='1.0'?>
<Log>
<HOST>127.0.0.1</HOST>
<DATE>10-04-2016T12:12:12</DATE>
<TRANSACTIONID>OpportunityId</TRANSACTIONID>
<TRANSACTIONVALUE>dsd767dsdkXSAre</TRANSACTIONVALUE>
<APPLICATION>QuoteSync</Application>
</Log>
Thanks,
Vinay
Try this for your sourcetype definition (props.conf on Indexer/Heavy forwarder)
[YourSourceType]
LINE_BREAKER = (#+\s*[\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX=\<DATE\>
TIME_FORMAT = %m-%d-%Y%%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19
Try this for your sourcetype definition (props.conf on Indexer/Heavy forwarder)
[YourSourceType]
LINE_BREAKER = (#+\s*[\r\n]+)
SHOULD_LINEMERGE = false
TIME_PREFIX=\<DATE\>
TIME_FORMAT = %m-%d-%Y%%H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 19