Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk chews XML Input

ac931274
Explorer
‎04-26-2011 08:52 AM

Hello there,
I have a number of applications that I want to log to Splunk. I will be sending the data in an XML format via a UDP listener. The data that is being sent looks like:

<log4j:event logger="ASP.global_asax" level="INFO" timestamp="1303830487907" thread="15"><log4j:message>New session started</log4j:message><log4j:properties><log4j:data name="log4japp" value="4ef113dd-9-129483040292873753(4644)" /><log4j:data name="log4jmachinename" value="W7-SUN-JSTANTON" /></log4j:properties></log4j:event>

However when it is processed by Splunk it appears like:

`Apr 26 16:18:09 127.0.0.1 log4j:messageNew session started/log4j:messagelog4j:properties/log4j:properties/log4j:event

Basically it looks like Splunk looks like it has overwritten the opening node, and as a result lossing the log level data, with the datetime that it received it. The applications that are sending it are using nLog with a log4j type target (with an Log4JXmlEventLayout layout). I have configured the sourcetype as log4jxml (custom name) but I think I need to tell it not to do something with the date/time field in the props.conf file (but not too sure what that something is).

I am also using the windows version of Splunk so the file paths are slightly different to the online manuals.

Any help would be most welcome.

Kind regards

Jonathan

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bbingham
Builder
‎04-26-2011 09:44 AM

If you don't want the date and IP appended, add the following to your inputs.conf:

no_priority_stripping = true
no_appending_timestamp = true

Splunk defaults these values to false, telling splunk to strip the first field in <> and then append the host IP and the date to the event.

Hope this helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

bbingham
Builder
‎04-26-2011 09:44 AM

If you don't want the date and IP appended, add the following to your inputs.conf:

no_priority_stripping = true
no_appending_timestamp = true

Splunk defaults these values to false, telling splunk to strip the first field in <> and then append the host IP and the date to the event.

Hope this helps!

Reply
Solved! Jump to solution

ac931274
Explorer
‎04-26-2011 11:01 AM

Thanks for this. I have also learnt that you have to put the files in the directory C:\Program Files\Splunk\etc\apps\search\local and NOT C:\Program Files\Splunk\etc\system\local doh

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...