Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML Log File Question

wlsplunker
New Member
‎03-14-2013 04:10 AM

Hi all,

I have an XML log file that looks something like this.

<matrix>
    <datasource>
    <name>ABC</name>
    </datasource>
    <datasource>
    <name>XYZ</name>
    </datasource>

    <datasource>
    <name>EFG</name>
    </datasource>
    <datasource>
    <name>RST</name>
    </datasource>
</matrix>

Basically, this is one big file that updates itself every 5 minutes and should be

read as a single entry for each refresh. Unfortunately, Splunk reads that

seperately and chops them up when parsing.

Is there a way to tell Splunk that it should read from and end at

for each event?

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-14-2013 05:08 AM

Yes there is and can be done in two ways.

  1. use data preview (under New Data Input) to generate the sourcetype and event breaking for this file "matrix" for example.
  2. use props.conf to configure event breaking (see sections on BREAK_ONLY_BEFORE...)

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

0 Karma
Reply

lguinn2
Legend
‎03-14-2013 07:03 PM

No, because props.conf is organized into stanzas. The stanza header says which object (source, sourcetype or host) will be affected by the settings.

0 Karma
Reply

wlsplunker
New Member
‎03-14-2013 06:57 PM

if by using (2), it says "When set, Splunk creates a new event only if it encounters a new line that matches the
regular expression.". Would that mean my other logs (which are not configured this way) will be impacted someway?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top