Getting Data In

XML Log File Question

wlsplunker
New Member

Hi all,

I have an XML log file that looks something like this.

<matrix>
    <datasource>
    <name>ABC</name>
    </datasource>
    <datasource>
    <name>XYZ</name>
    </datasource>

    <datasource>
    <name>EFG</name>
    </datasource>
    <datasource>
    <name>RST</name>
    </datasource>
</matrix>

Basically, this is one big file that updates itself every 5 minutes and should be

read as a single entry for each refresh. Unfortunately, Splunk reads that

seperately and chops them up when parsing.

Is there a way to tell Splunk that it should read from and end at

for each event?

Tags (1)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Yes there is and can be done in two ways.

  1. use data preview (under New Data Input) to generate the sourcetype and event breaking for this file "matrix" for example.
  2. use props.conf to configure event breaking (see sections on BREAK_ONLY_BEFORE...)

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

0 Karma

lguinn2
Legend

No, because props.conf is organized into stanzas. The stanza header says which object (source, sourcetype or host) will be affected by the settings.

0 Karma

wlsplunker
New Member

if by using (2), it says "When set, Splunk creates a new event only if it encounters a new line that matches the
regular expression.". Would that mean my other logs (which are not configured this way) will be impacted someway?

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...