Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to break xml without timestamp

Cuyose
Builder
‎09-18-2014 05:52 PM

I am trying to break these into separate events and have tried everything and its just not working

< sale id="1012128864" reportGroup="asdasd" customerId="7412213255"  >
            < orderId>101221348864 < /orderId >
            < amount>1999 < /amount >
            < orderSource >ecommerce < /orderSource >
            < token >
                <litleToken >8888888888888 < /litleToken >
                < expDate >1120 < /expDate >
            < /token >
        < / sale >

props.conf are 

[custom_sourcetype]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \
SHOULD_LINEMERGE = true
0 Karma
Reply

neelamssantosh
Contributor
‎09-18-2014 08:49 PM

Kindly share couple of more
_raw logs from log file..

0 Karma
Reply

Cuyose
Builder
‎09-19-2014 08:09 AM

It won't seem to let me upload the file, but literally there are just a bunch of blocks like this that are exactly the same with different element values. No timestamps

0 Karma
Reply

somesoni2
Revered Legend
‎09-18-2014 08:38 PM

This works for me with your sample data.

props.conf are

[custom_sourcetype]
BREAK_ONLY_BEFORE = \<\s*sale\s
MUST_BREAK_AFTER = \<\s*/sale\s*\>
BREAK_ONLY_BEFORE_DATE = false
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
0 Karma
Reply

Cuyose
Builder
‎09-19-2014 07:11 AM

Odd this still doesn't work for me. I must have doe setting somewhere overriding this. Any ideas where it might be? The props.conf I am editing is definitely the etc/system/local.props.conf

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-19-2014 09:52 AM

The only thing that overrides etc/system/local would be if you're using a clustered indexing setup, with custom rules pushed by the cluster master to the indexer peers. So unless you're in a cluster, system/local/props.conf is the king of the hill.

0 Karma
Reply

Cuyose
Builder
‎09-19-2014 10:01 AM

Hmm, im stumped then, because we definitely aren't doing that. Ill keep working on it.

0 Karma
Reply

Cuyose
Builder
‎09-18-2014 08:13 PM

Sorry, yes this is an example of a single event, with many others formatted the same. No matter what I try, it won't break them up.

0 Karma
Reply

somesoni2
Revered Legend
‎09-18-2014 06:39 PM

This is one event you have or you want to break these into separate entries?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...