Hi,
I have an XML file with multiple tags, I want to split it into multiple events. What are the configuration need to add in props.conf file
Here is the example,
INFO 2015-01-08 10:16:49
<V_XML Version="2.0" Direction="Response">
<Enquiry >
<Result />
<3DSID>...</3DSIDID>
<CHAID>...</CHAID>
<CHADD>...</CHADD>
<EC>...</EC>
</Enquiry>
</V_XML>
-------------------
INFO 2015-01-08 10:16:50
<V_XML Version="2.0" >
<Transaction >
<CHAID>...</CHAID>
<CHADD>...</CHADD>
<Amt>...</Amt>
<Currency>...</Currency>
<EC>...</EC>
<ExpiryD>......</ExpiryD>
<MerchantRef>...</MerchantRef>
<CSCode>...</CSCode>
<PAN>...</PAN>
</Transaction>
</V_XML>
Try something like this for your props.conf (on Indexer/Heavy Forwarder)
[YourSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\w+\s+\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2:}\d{2}
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^\w+\s+
MAX_TIMESTAMP_LOOKAHEAD=20
Try something like this for your props.conf (on Indexer/Heavy Forwarder)
[YourSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\w+\s+\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2:}\d{2}
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^\w+\s+
MAX_TIMESTAMP_LOOKAHEAD=20
Hi,
Thanks for the info and could you explain the LINE_BREAKER regx format? it will be very helpful for my reference.
Splunk documentation has good information on LINE_BREAKER. The topic http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configureeventlinebreaking is a good starting point.
Thanks soni... I am understand it, the line break based on time stamp.
Basically on "INFO Timestamp" pattern.