Getting Data In

LINEMERGE / props.conf issues on XML

helius
Path Finder

Greetings,

I'm receiving XML files and noticed that the first half (around 257 lines) is a single event, but everything after that is a separate event.

screenshot
Reading the documentation, I see mention of modifying the props.conf to fix this. So, I've decided to use the following:

[source::elemental_job]
SHOULD_LINEMERGE = true
MAX_EVENTS = 2000
BREAK_ONLY_BEFORE = ^(<command)
MUST_NOT_BREAK_BEFORE = ^(</command) 

However, this does not work. It seems to have no effect actually.

Can someone tell me what I'm doing wrong?

1 Solution

helius
Path Finder

After much research, found the solution......

I realized that the forwarders don't actually handle working with the data I see on the search head. This is done on the indexers. So I added the following to the props.conf on the indexers we use and it works perfectly.

[source::/opt/elemental_se/web/log/*/job_*/*_emecmd.xml]
SHOULD_LINEMERGE = true
TRUNCATE = 0
MAX_EVENTS = 5000
BREAK_ONLY_BEFORE = ^(<command)
MUST_NOT_BREAK_BEFORE = ^(</command)

View solution in original post

helius
Path Finder

After much research, found the solution......

I realized that the forwarders don't actually handle working with the data I see on the search head. This is done on the indexers. So I added the following to the props.conf on the indexers we use and it works perfectly.

[source::/opt/elemental_se/web/log/*/job_*/*_emecmd.xml]
SHOULD_LINEMERGE = true
TRUNCATE = 0
MAX_EVENTS = 5000
BREAK_ONLY_BEFORE = ^(<command)
MUST_NOT_BREAK_BEFORE = ^(</command)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...