Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is my props.conf not breaking my XML log file correctly?

johnbuhlhiscox
New Member
‎06-20-2016 04:56 AM

Splunk is indexing the entire file and not using the breaks in the props.conf file.

Here is the file:

 <break>
    <SaveQuote>
      <ApplicationArea>
        <MessageID>message21</MessageID>
        <Verb>save</Verb>
        <Noun>Quote</Noun>
        <SenderID>AY: GL</SenderID>
      </ApplicationArea>
    </SaveQuote>
    <break>
    <SaveQuote>
      <ApplicationArea>
        <MessageID>message20</MessageID>
        <Verb>save</Verb>
        <Noun>Quote</Noun>
        <SenderID>AY: GL</SenderID>
      </ApplicationArea>
    </SaveQuote>

Here is the inputs.conf file:

[monitor://L:\Logs\info.log]
disabled = 0
sourcetype=nsl:all:webmethods
index=nsl_webmethods
followTail = 0

Here is the props.conf file:

[nsl:all:webmethods]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<SaveQuote>)
MUST_BREAK_AFTER = \</SaveQuote\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
MAX_EVENTS = 20000
0 Karma
Reply

beatus
Communicator
‎06-20-2016 07:03 AM

You shouldn't need your MUST_BREAK_AFTER at all. Your line breaker just needs to be modified a bit:

LINE_BREAKER = ([\r\n]+\s*\<break\>)

If you need the break to stay in the data, move it out of the parens. Like so:

LINE_BREAKER = ([\r\n]+\s*)\<break\>

To be sure, the break is actually in the data? If not, use this:

LINE_BREAKER = ([\r\n]+\s*)\<SaveQuote\>

Just a note - I used \s* as i'm not sure if there's always a space before the "SaveQuote" or "break" In your data.

Reply

johnbuhlhiscox
New Member
‎06-20-2016 07:32 AM

@beatus

Thank you for the quick reply, however, this still doesn't work. Nothing is breaking after several attempts to modify the settings, restart the forwarder service, and even clear out the index. Perhaps, I am not changing the correct files in the correct location.

Both my inputs.conf and props.conf files are in the following location:
D:\programs\SplunkUniversalForwarder\etc\apps\webmethods\local

After I make changes, I restart the forward splunk at the command line with

> splunk restart
0 Karma
Reply

beatus
Communicator
‎06-20-2016 08:18 AM

Linebreaking must be done on an indexer, it's a parse time event. Universal forwarders do not parse data (Except in some situations around Indexed Extractions, but that doesn't apply here).

Try moving your props.conf to your indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...