Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are we unable to parse XML log in a clustered environment?

vasanthi77
Explorer
‎04-29-2019 11:57 PM

Sorry to post another xml parsing post, I checked most of the Answers related to similar question as this but nothing seems to work.

I am trying to parse xml log in a clustered environment.

4 indexers 3 heavy forwarders 1 deployment server

sample xml log : 

Query

  0
  0



  1
  set
  S




  Query

  0
  0



  1
  set
  S

Props.conf file:

[sample]
kv_mode=xml
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=UTF-8
disabled=false

inputs.conf:

[monitor:///var/log/sample.xml]
index=sample
sourcetype=sample

I m using /opt/splunk/bin/splunk reload deploy-server command to deploy changes and restart ,In heavy forwarders files are getting updated as well.

But whatever changes i am making to props.conf the xml events in splunk is not changing and parsing as below.
event1 

Query

  0
  0



  1
  set
  S


event 2


  Query

  0
  0



  1
  set
  S

PS : I have copied props.conf from splunk console when i tried to upload data manually .

Can someone please figure out what is the issue here. Thanks in advance

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-04-2019 02:01 PM

This makes no sense. The events that you posted are not XML. Are those really your events?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-01-2019 10:00 PM

This is a good start but you have not told us anything about what you are trying to change. We see what the raw data looks like but what is wrong with them?

0 Karma
Reply

vasanthi77
Explorer
‎05-02-2019 09:53 PM

Hi Woodcook , i m trying to parse the xml log using the given props.conf. with BREAK_ONLY_BEFORE=AUDIT_RECORD ,

I m trying to provide sample xml log here in my post, but its nt getting posted as i see in preview.

0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎04-30-2019 01:04 PM

Be sure that you don't have a local version of props.conf. If you do, it will take precedence over the version you are pushing out and override any settings there.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

vasanthi77
Explorer
‎04-30-2019 04:51 PM

Hi Codebuilder , I have removed all the files from local folder.
What else can be the issue ?

0 Karma
Reply

codebuilder
SplunkTrust
SplunkTrust
‎05-01-2019 06:50 AM

If you had a local version of props.conf and removed it, then you'll likely need to cycle your search head or SHC. Then re-test.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

vasanthi77
Explorer
‎04-29-2019 11:59 PM

sample xml log :

  Query

  0
  0



  1
  set
  S




  Query

  0
  0



  1
  set
  S

and events i m able to see are

event1


  Query

  0
  0



  1
  set
  S


event2


  Query

  0
  0



  1
  set
  S
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...