Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

XML Log File in Error Tags

Kyle_Brandt
Path Finder
‎10-20-2010 07:20 PM

I have an application that creates XML log files. Each entry takes multiple lines and is enclosed in <error> </error> tags, but there are other tags with in it.

From reading other questions I believe I define a source type in the inputs.conf on the machine that has these logs files (light forwarder). If that is true then I believe I define the specifics of this source type in the props.conf file. Should that props.conf file be on the machine with the logs or the indexing machine. Also, what should that props.conf file look like for a file like this. Lastly, how will I clear the already indexed log entries (confused, they think it is one per line) and get it to reindex them properly?

Tags (1)
0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-20-2010 10:34 PM

  • Line breaking / event breaking issues:
    Your xml file is not being parsed correctly and is creating single line events for an event that should be multiline. I assume also the timestamp recognition is wrong?
    Then what you need to do is use props.conf / transforms.conf in order to force splunk to linebreak the events correctly.

  • Since your forwarder is a light weight forwarder then you need to put these props/transforms on the INDEXER side.

  • Lastly, to clean your already indexed data you can use the clean command

hope this helps.
.gz

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-20-2010 10:40 PM

NOTE: use the clean command at your own risk, ie. you will lose data if you do not have the raw data still available...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...