We have an XML log file that properly gets extracted in Splunk 5, but in Splunk 6 it doesn't properly identify the events. Events seem to be occurring at random in the search results - it doesn't seem to be honoring the KV_Mode. We get 5 events listed with only 2 XML events being sent.
<CustomEvent>
<CreatedOn>2013-09-29T16:47:12</CreatedOn>
<EventType>urn:mycustomevent</EventType>
<Body>
<EventType2>action:login</EventType2>
<EventDateTime>2013-09-29T16:47:12</EventDateTime>
<EventDetails />
</Body>
</CustomEvent>
<CustomEvent>
<CreatedOn>2013-09-29T18:47:12</CreatedOn>
<EventType>urn:mycustomevent</EventType>
<Body>
<EventType2>action:logout</EventType2>
<EventDateTime>2013-09-29T16:47:12</EventDateTime>
<EventDetails />
</Body>
</CustomEvent>
This had nothing to do with Splunk 6. I was missing the following in my props.config
. This was done in etc/system/local/props.config
at a global scope in our PROD configuration, but wasn't present in our DEV instance apps/customApp/local/props.config
local scope.
[customsourcetype]
BREAK_ONLY_BEFORE = ^<CustomEvent
SHOULD_LINEMERGE = true
MAX_TIMESTAMP_LOOKAHEAD=200
KV_MODE = xml
This had nothing to do with Splunk 6. I was missing the following in my props.config
. This was done in etc/system/local/props.config
at a global scope in our PROD configuration, but wasn't present in our DEV instance apps/customApp/local/props.config
local scope.
[customsourcetype]
BREAK_ONLY_BEFORE = ^<CustomEvent
SHOULD_LINEMERGE = true
MAX_TIMESTAMP_LOOKAHEAD=200
KV_MODE = xml