getting only half of logs in the splunk from monit...

nasrinmulani · ‎08-09-2018

Hi All,

I have large XML file, i have indexed it using BREAK_ONLY_BEFORE and MUST_BREAK_AFT.
But i am getting partial events from not the whole.

From around 600, i am getting only 29 records.

I don't know whats the problem. I got this previously also.

nasrinmulani · ‎08-09-2018

I have changes line breaker to BREAK_ONLY_BEFORE and MUST_BREAK_AFT previously.

sudosplunk · ‎08-09-2018

Hello,

Can you provide your props.conf and some sample events.

nasrinmulani · ‎08-13-2018

<Head>
123
 </Head>
 <Detail>
 <id>123</id>
 <Name>x</Name>
 </Detail>
 </Head>
 <Head>
 <Detail>
 <id>1234</id>
 <Name>y</Name>
 </Detail>
 </Head>
 <Head>
 <Detail>
 <id>12347</id>
 <Name>y</Name>
 </Detail>
<Tail>234<Tail>

I am giving this example log, but logs are too large in the size.
I am breaking it by tag.
Following is props.conf

[sourcetypename] 
BREAK_ONLY_BEFORE = <Detail>
MUST_BREAK_AFTER = <\/Detail>
NO_BINARY_CHECK = true
category = Custom
description = For event breaking
disabled = false
pulldown_type = true

getting only half of logs in the splunk from monitoring path

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

getting only half of logs in the splunk from monitoring path

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits