Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to break xml without timestamp

Cuyose
Builder
‎09-18-2014 05:52 PM

I am trying to break these into separate events and have tried everything and its just not working

< sale id="1012128864" reportGroup="asdasd" customerId="7412213255"  >
            < orderId>101221348864 < /orderId >
            < amount>1999 < /amount >
            < orderSource >ecommerce < /orderSource >
            < token >
                <litleToken >8888888888888 < /litleToken >
                < expDate >1120 < /expDate >
            < /token >
        < / sale >

props.conf are 

[custom_sourcetype]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \
SHOULD_LINEMERGE = true
0 Karma
Reply

neelamssantosh
Contributor
‎09-18-2014 08:49 PM

Kindly share couple of more
_raw logs from log file..

0 Karma
Reply

Cuyose
Builder
‎09-19-2014 08:09 AM

It won't seem to let me upload the file, but literally there are just a bunch of blocks like this that are exactly the same with different element values. No timestamps

0 Karma
Reply

somesoni2
Revered Legend
‎09-18-2014 08:38 PM

This works for me with your sample data.

props.conf are

[custom_sourcetype]
BREAK_ONLY_BEFORE = \<\s*sale\s
MUST_BREAK_AFTER = \<\s*/sale\s*\>
BREAK_ONLY_BEFORE_DATE = false
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
pulldown_type = 1
0 Karma
Reply

Cuyose
Builder
‎09-19-2014 07:11 AM

Odd this still doesn't work for me. I must have doe setting somewhere overriding this. Any ideas where it might be? The props.conf I am editing is definitely the etc/system/local.props.conf

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-19-2014 09:52 AM

The only thing that overrides etc/system/local would be if you're using a clustered indexing setup, with custom rules pushed by the cluster master to the indexer peers. So unless you're in a cluster, system/local/props.conf is the king of the hill.

0 Karma
Reply

Cuyose
Builder
‎09-19-2014 10:01 AM

Hmm, im stumped then, because we definitely aren't doing that. Ill keep working on it.

0 Karma
Reply

Cuyose
Builder
‎09-18-2014 08:13 PM

Sorry, yes this is an example of a single event, with many others formatted the same. No matter what I try, it won't break them up.

0 Karma
Reply

somesoni2
Revered Legend
‎09-18-2014 06:39 PM

This is one event you have or you want to break these into separate entries?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...