Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my props.conf not breaking my XML log file correctly?

johnbuhlhiscox
New Member
‎06-20-2016 04:56 AM

Splunk is indexing the entire file and not using the breaks in the props.conf file.

Here is the file:

 <break>
    <SaveQuote>
      <ApplicationArea>
        <MessageID>message21</MessageID>
        <Verb>save</Verb>
        <Noun>Quote</Noun>
        <SenderID>AY: GL</SenderID>
      </ApplicationArea>
    </SaveQuote>
    <break>
    <SaveQuote>
      <ApplicationArea>
        <MessageID>message20</MessageID>
        <Verb>save</Verb>
        <Noun>Quote</Noun>
        <SenderID>AY: GL</SenderID>
      </ApplicationArea>
    </SaveQuote>

Here is the inputs.conf file:

[monitor://L:\Logs\info.log]
disabled = 0
sourcetype=nsl:all:webmethods
index=nsl_webmethods
followTail = 0

Here is the props.conf file:

[nsl:all:webmethods]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<SaveQuote>)
MUST_BREAK_AFTER = \</SaveQuote\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
MAX_EVENTS = 20000
0 Karma
Reply

beatus
Communicator
‎06-20-2016 07:03 AM

You shouldn't need your MUST_BREAK_AFTER at all. Your line breaker just needs to be modified a bit:

LINE_BREAKER = ([\r\n]+\s*\<break\>)

If you need the break to stay in the data, move it out of the parens. Like so:

LINE_BREAKER = ([\r\n]+\s*)\<break\>

To be sure, the break is actually in the data? If not, use this:

LINE_BREAKER = ([\r\n]+\s*)\<SaveQuote\>

Just a note - I used \s* as i'm not sure if there's always a space before the "SaveQuote" or "break" In your data.

Reply

johnbuhlhiscox
New Member
‎06-20-2016 07:32 AM

@beatus

Thank you for the quick reply, however, this still doesn't work. Nothing is breaking after several attempts to modify the settings, restart the forwarder service, and even clear out the index. Perhaps, I am not changing the correct files in the correct location.

Both my inputs.conf and props.conf files are in the following location:
D:\programs\SplunkUniversalForwarder\etc\apps\webmethods\local

After I make changes, I restart the forward splunk at the command line with

> splunk restart
0 Karma
Reply

beatus
Communicator
‎06-20-2016 08:18 AM

Linebreaking must be done on an indexer, it's a parse time event. Universal forwarders do not parse data (Except in some situations around Indexed Extractions, but that doesn't apply here).

Try moving your props.conf to your indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...