Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is line breaking not working as expected for my XML data when I edit .conf files directly?

gagi76
New Member
‎05-23-2016 03:04 AM

Hi everyone,

Can someone please explain why these steps won't work? XML file that I input in Splunk are one event, like this:
alt text

inputs.conf 

[monitor://c:/to_the_file]
Sourcetype = aaa

props.conf

[aaa]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]*)

I have tried this from Splunk Web (upload file and configured SHOULD_LINEMERGE = false and
LINE_BREAKER = ([\r\n]*)) and it worked, but when I do it from .conf files, it won't. Any ideas?
And of course, how can I configure date and time to be recognized from Splunk?

Thanks

Preview file
36 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 09:45 AM

Give this a try

props.conf

[aaa]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]*)(?=\<LOG\>)
TIME_PREFIX = DATE\>
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 27

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 09:45 AM

Give this a try

props.conf

[aaa]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]*)(?=\<LOG\>)
TIME_PREFIX = DATE\>
TIME_FORMAT = %Y%m%d</DATE><TIME>%H%M%S
MAX_TIMESTAMP_LOOKAHEAD = 27
0 Karma
Reply
Solved! Jump to solution

gagi76
New Member
‎05-23-2016 11:53 PM

Thanks for helping,

ok, we broke logs now with those lines, but the date and time are not recognized from splunk. I have read that I should make datetime.xml file a configure it along with props.conf?

0 Karma
Reply
Solved! Jump to solution

gagi76
New Member
‎05-23-2016 03:06 AM

misspell :
LINE_BREAKER = ([\r\n]*)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...