Re: XML Data Line Breaking on DateTime tag

ekenne06 · ‎01-28-2021

Here is my data normally.

2021-01-26 00:00:44.2885 [INFO] SIXPACService.SplunkForwarder.SplunkWriter Attempting to Splunk Message from SITA:
<?xml version="1.0" encoding="utf-8"?>
<DCNSMessage>
  <ID>SIXPAC</ID>
  <RType>14</RType>
  <DateTime>2021-01-26T00:00:35Z</DateTime>
  <ActiveLink>
    <StartDateTime>2021-01-25T23:50:00Z</StartDateTime>
    <StopDateTime>2021-01-26T00:00:00Z</StopDateTime>
    <LocationActive>
      <Location>S-SLC01</Location>
      <Active>0</Active>
    </LocationActive>
  </ActiveLink>
</DCNSMessage>

for some reason when the data gets indexed, it's line breaking, so I only get the following data:

2021-01-26 00:00:44.2885 [INFO] SIXPACService.SplunkForwarder.SplunkWriter Attempting to Splunk Message from SITA:
<?xml version="1.0" encoding="utf-8"?>
<DCNSMessage>
  <ID>SIXPAC</ID>
  <RType>14</RType>

Any idea on why it's breaking at the DateTime tag?

scelikok · ‎01-28-2021

Hi @ekenne06,

Splunk breaks events when it finds a timestamp by default. You should set timestamp like below;

[your_sourcetype]
TIME_PREFIX = ^
TIMEFORMAT = %Y-%m-%d %H:%M:%S.%4Q

If this reply helps you an upvote and "Accept as Solution" is appreciated.

ekenne06 · ‎01-28-2021

so I tried that and it's still breaking at that spot. I did a btool props --debug . Will update if I find anything there. Currently messing around with a few props.conf settings

XML Data Line Breaking on DateTime tag

indexer

props.conf

transforms.conf

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation