XML Data Line Breaking on DateTime tag

ekenne06 · ‎01-28-2021

Here is my data normally.

2021-01-26 00:00:44.2885 [INFO] SIXPACService.SplunkForwarder.SplunkWriter Attempting to Splunk Message from SITA:
<?xml version="1.0" encoding="utf-8"?>
<DCNSMessage>
  <ID>SIXPAC</ID>
  <RType>14</RType>
  <DateTime>2021-01-26T00:00:35Z</DateTime>
  <ActiveLink>
    <StartDateTime>2021-01-25T23:50:00Z</StartDateTime>
    <StopDateTime>2021-01-26T00:00:00Z</StopDateTime>
    <LocationActive>
      <Location>S-SLC01</Location>
      <Active>0</Active>
    </LocationActive>
  </ActiveLink>
</DCNSMessage>

for some reason when the data gets indexed, it's line breaking, so I only get the following data:

2021-01-26 00:00:44.2885 [INFO] SIXPACService.SplunkForwarder.SplunkWriter Attempting to Splunk Message from SITA:
<?xml version="1.0" encoding="utf-8"?>
<DCNSMessage>
  <ID>SIXPAC</ID>
  <RType>14</RType>

Any idea on why it's breaking at the DateTime tag?

scelikok · ‎01-28-2021

Hi @ekenne06,

Splunk breaks events when it finds a timestamp by default. You should set timestamp like below;

[your_sourcetype]
TIME_PREFIX = ^
TIMEFORMAT = %Y-%m-%d %H:%M:%S.%4Q

If this reply helps you an upvote and "Accept as Solution" is appreciated.

ekenne06 · ‎01-28-2021

so I tried that and it's still breaking at that spot. I did a btool props --debug . Will update if I find anything there. Currently messing around with a few props.conf settings

XML Data Line Breaking on DateTime tag

indexer

props.conf

transforms.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?