Solved: XML file, Breaking before and/or after matching <D...

miken_hg5 · ‎09-21-2013

I am puzzled why I cannot configure Splunk to break on what appears to be simple ... tags

My XML looks like this (a snippet)

<?xml etc .. with <Document ...> ... </Document> tags

What I want to do is treat the <Document ...> ... </Document> as an event

I've tried using MUST BREAK AFTER = </Document>

and with and without BREAK ONLY BEFORE

Splunk is stubbornly breaking part way thru my intended event

I have tried escaping the < and > and even the escaping the / too

But no joy ... it should be simple based on what I have read and the XML seems well formed ... I am puzzled

miken_hg5 · ‎09-22-2013

Aha, I've solved it and found this answer especially relevant to my problem

http://answers.splunk.com/answers/88201/need-help-with-event-breaking-in-xml-log-file

The fix for my file was to use this in props.conf in Advanced Mode in Data Inputs

BREAK_ONLY_BEFORE=<Document

MUST_BREAK_AFTER=<\/Document>

View solution in original post

miken_hg5 · ‎09-22-2013

Aha, I've solved it and found this answer especially relevant to my problem

http://answers.splunk.com/answers/88201/need-help-with-event-breaking-in-xml-log-file

The fix for my file was to use this in props.conf in Advanced Mode in Data Inputs

BREAK_ONLY_BEFORE=<Document

MUST_BREAK_AFTER=<\/Document>

kristian_kolb · ‎09-21-2013

Are you sure that you're editing the correct file? In the correct place? In the correct way? On the correct splunk instance? Please provide more information regarding your config, including the relevant stanzas from the config files.

/K

XML file, Breaking before and/or after matching <Document> .. </Document> tags

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases