I'm on Splunk 6.2 at the moment.
I've specified a folder to monitor to collect NPS logs from a Windows 2012 server.
The files are stored as .log but the content is XML. So the fields aren't getting extracted properly.
How do I force the Universal forwarder to specify the data as XML?
Dont forget you will probably have to specify the BREAKONLY, BREAKBEFORE, BREAK_AFTER settings within the stanza for the sourcetype to prevent it from being a giant blog.
By the way this is one of the lines from my log file
<Event><Timestamp data_type="4">08/18/2015 17:22:56.609</Timestamp><Computer-Name data_type="1">NUCLEUS</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Acct-Session-Id data_type="2">7282B03F</Acct-Session-Id><Packet-Type data_type="0">4</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event> [source::.../mylogs/*.log] TIME_PREFIX = \Timestamp data_type="4"> BREAK_ONLY_BEFORE = ^<Event> SHOULD_LINEMERGE = False MUST_BREAK_AFTER = \/Event>
I don't think this would work - you specified
SHOULD_LINEMERGE = false but specified your line breaking settings via line merging options. Either use
SHOULD_LINEMERGE = false with
LINE_BREAKER = regex, something like
LINE_BREAKER = ([\r\n]+)<Event>
in your case, or use
SHOULD_LINEMERGE = true with any of the other line breaking settings such as
MUST_BREAK_AFTER (see props.conf and search for
SHOULD_LINEMERGE for details).
You can verify your settings by using the "Add Data" wizard with one of your files (go to Settings -> Add Data -> Upload). This will show you the effect of the settings on your data before indexing it.