Dashboards & Visualizations
Highlighted

Why are we unable to parse XML log in a clustered environment?

Explorer

Sorry to post another xml parsing post, I checked most of the Answers related to similar question as this but nothing seems to work.

I am trying to parse xml log in a clustered environment.

4 indexers 3 heavy forwarders 1 deployment server

sample xml log :

Query

  0
  0



  1
  set
  S




  Query

  0
  0



  1
  set
  S

Props.conf file:

[sample]
kv_mode=xml
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=
CHARSET=UTF-8
disabled=false

inputs.conf:

[monitor:///var/log/sample.xml]
index=sample
sourcetype=sample

I m using /opt/splunk/bin/splunk reload deploy-server command to deploy changes and restart ,In heavy forwarders files are getting updated as well.

But whatever changes i am making to props.conf the xml events in splunk is not changing and parsing as below.
event1

Query

  0
  0



  1
  set
  S


event 2


  Query

  0
  0



  1
  set
  S

PS : I have copied props.conf from splunk console when i tried to upload data manually .

Can someone please figure out what is the issue here. Thanks in advance

Tags (2)
0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Explorer

sample xml log :

  Query

  0
  0



  1
  set
  S




  Query

  0
  0



  1
  set
  S

and events i m able to see are

event1


  Query

  0
  0



  1
  set
  S


event2


  Query

  0
  0



  1
  set
  S
0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Motivator

Be sure that you don't have a local version of props.conf. If you do, it will take precedence over the version you are pushing out and override any settings there.

0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Explorer

Hi Codebuilder , I have removed all the files from local folder.
What else can be the issue ?

0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Motivator

If you had a local version of props.conf and removed it, then you'll likely need to cycle your search head or SHC. Then re-test.

0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Esteemed Legend

This is a good start but you have not told us anything about what you are trying to change. We see what the raw data looks like but what is wrong with them?

0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Explorer

Hi Woodcook , i m trying to parse the xml log using the given props.conf. with BREAKONLYBEFORE=AUDIT_RECORD ,

I m trying to provide sample xml log here in my post, but its nt getting posted as i see in preview.

0 Karma
Highlighted

Re: Why are we unable to parse XML log in a clustered environment?

Esteemed Legend

This makes no sense. The events that you posted are not XML. Are those really your events?

0 Karma