Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

xml logs are terminated half way before end of log.

smudge797
Path Finder
‎07-29-2013 06:34 AM

We have a log which is being indexed ok to start with, however splunk stops reading it when only half has been indexed. the log is 4.6MB and XML format.

In data previewer:
500 events read
Bytes = 4,535,856
Events = 2,877 (about half)

Tags (3)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎08-06-2013 07:56 AM

You're probably triggering MAX_EVENTS in stitching the lines back together. By default Splunk breaks on newlines, then attempts to "linemerge" the lines back into the context of the main event (consider a stack trace with multiple lines...). The default behavior is to only seam together 257 (the original + 256 more) lines in this way. It's more efficient if you can tell Splunk "yo, just consume the whole file" rather than that split + recombine behavior.

For a file that is an entire, complete and single XML document, I'd suggest to set the LINE_BREAKER to "just grab everything" ^()$ and disable the linemerging functionality with SHOULD_LINEMERGE=false.

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎08-04-2013 11:43 PM

Just to be clear... you're offering statistics from the data previewer, but you don't mean that do you? Splunk only previews a sub section of the data, not the whole file. You're talking about Splunk not actually indexing the whole file correct... not just that it's only previewing half.

If it has stopped reading the file before the file ends, there should be some reason for stopping indicated in the splunkd.log since Splunk will be taking action on the index.
TRUNCATE will come into play only if Splunk is suddenly seeing one big line for some reason...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply

linu1988
Champion
‎08-04-2013 10:57 PM

Could you add TRUNCATE=0 in props.conf?

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎08-04-2013 10:33 PM

check the splunkd.log
$SPLUNK_HOME/var/log/splunk/splunkd.log
there might be something interesting in there...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...