Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to break xml without timestamp

Cuyose
Builder
‎09-18-2014 05:52 PM

I am trying to break these into separate events and have tried everything and its just not working

< sale id="1012128864" reportGroup="asdasd" customerId="7412213255"  >
            < orderId>101221348864 < /orderId >
            < amount>1999 < /amount >
            < orderSource >ecommerce < /orderSource >
            < token >
                <litleToken >8888888888888 < /litleToken >
                < expDate >1120 < /expDate >
            < /token >
        < / sale >

props.conf are 

[custom_sourcetype]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \
SHOULD_LINEMERGE = true
0 Karma
Reply

neelamssantosh
Contributor
‎09-18-2014 08:49 PM

Kindly share couple of more
_raw logs from log file..

0 Karma
Reply

Cuyose
Builder
‎09-19-2014 08:09 AM

It won't seem to let me upload the file, but literally there are just a bunch of blocks like this that are exactly the same with different element values. No timestamps

0 Karma
Reply

somesoni2
Revered Legend
‎09-18-2014 08:38 PM

This works for me with your sample data.

props.conf are

[custom_sourcetype]
BREAK_ONLY_BEFORE = \<\s*sale\s
MUST_BREAK_AFTER = \<\s*/sale\s*\>
BREAK_ONLY_BEFORE_DATE = false
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
0 Karma
Reply

Cuyose
Builder
‎09-19-2014 07:11 AM

Odd this still doesn't work for me. I must have doe setting somewhere overriding this. Any ideas where it might be? The props.conf I am editing is definitely the etc/system/local.props.conf

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-19-2014 09:52 AM

The only thing that overrides etc/system/local would be if you're using a clustered indexing setup, with custom rules pushed by the cluster master to the indexer peers. So unless you're in a cluster, system/local/props.conf is the king of the hill.

0 Karma
Reply

Cuyose
Builder
‎09-19-2014 10:01 AM

Hmm, im stumped then, because we definitely aren't doing that. Ill keep working on it.

0 Karma
Reply

Cuyose
Builder
‎09-18-2014 08:13 PM

Sorry, yes this is an example of a single event, with many others formatted the same. No matter what I try, it won't break them up.

0 Karma
Reply

somesoni2
Revered Legend
‎09-18-2014 06:39 PM

This is one event you have or you want to break these into separate entries?

0 Karma
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...