Splunk Search

PROPS Configuration for XML source

SplunkDash
Motivator

Hello,

I have some issues writing PROPS configuration for XML source file. Sample XML events (2 Events) are given below. Any help will be highly appreciated. Thank you so much.

TIME_PREFIX=

TIME_FORMAT=

LINE_BREAKER=

--------------------------------

<a2ETraceEvent xmlns=http://schemas.test.com/2014/06/a2ETraceEvent>

    <System xmlns=http://schemas.test.com/2014/08/windows/events/systems>

        <EventID>0</EventID>

        <Type>3</Type>

        <SubType Name="Error">0</SubType>

        <Level>2</Level>

        <TimeCreated SystemTime="2021-07-20T04:00:53.4370283Z" />

        <Source Name="ATech.Notifications" />

        <Correlation ActivityID="{975c26b1-7acd-4ea0-8ad6-d7be1358e5fc}" />

        <Execution ProcessName="ATech.JobFramework.Job" ProcessID="292132" ThreadID="1" />

        <AssemblyVersion>6.4.10100.1051</AssemblyVersion>

        <Channel />

        <Computer>XVL0SMEMAPPAGR14</Computer>

    </System>

    <ApplicationData>

        <TraceData>

            <DataItem>

                <TraceRecord Severity="Error" xmlns=http://schemas.test.com/2014/10/a2ETraceEvent/TraceRecord>

                    <TraceIdentifier>ATech.Notifications</TraceIdentifier>

                    <Description>Error sending the email message generated for notification template 'Employee Training - ' with id = '12552'.</Description>

                    <AppDomain>ATech.JobFramework.Job.exe</AppDomain>

                    <Exception>

                        <ExceptionType>ATech.Common.Exceptions.SendEmailNotificationException, ATech.Common, Version=6.4.10100.1051, Culture=neutral, PublicKeyToken=null</ExceptionType>

                        <Message>Error sending the email message generated for notification template 'Employee Training - with id = '12552'.</Message>

                        <Source />

                        <ContextData>

                            <Resolution>Please verify that the server configured in the ECPSA is reachable. For further support, please contact your system administrator.</Resolution>

                            <ServerAddress>Changeit-mail-relay</ServerAddress>

                        </ContextData>

                        <StackTrace />

                        <InnerException>

                            <ExceptionType>System.Net.Mail.SmtpException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934a19</ExceptionType>

                            <Message>Failure sending mail.</Message>

                            <Source>System</Source>

                            <StackTrace>   at System.Net.Mail.SmtpClient.Send(MailMessage message)

   at ATech.Notifications.Providers.Mail.DefaultSmtpProvider.Send(MailMessage mailMessage, Notification notification)</StackTrace>

                            <InnerException>

                                <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=c77a52161934e08</ExceptionType>

                                <Message>The remote name could not be resolved</Message>

                                <Source>System</Source>

                                <StackTrace>   

   at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)

   at System.Net.Mail.SmtpClient.GetConnection()

   at System.Net.Mail.SmtpClient.Send(MailMessage message)</StackTrace>

                            </InnerException>

                        </InnerException>

                    </Exception>

                </TraceRecord>

            </DataItem>

        </TraceData>

    </ApplicationData>

</a2ETraceEvent>

<a2ETraceEvent xmlns=http://schemas.test.com/2014/06/a2ETraceEvent>

    <System xmlns=http://schemas.test.com/2014/08/windows/events/systems>

        <EventID>1</EventID>

        <Type>3</Type>

        <SubType Name="Error">2</SubType>

        <Level>1</Level>

        <TimeCreated SystemTime="2021-07-20T04:00:54.4370283Z" />

        <Source Name="ATech.Notifications" />

        <Correlation ActivityID="{875c26b1-7acd-2ea0-8ad6-d7be1358e5f1}" />

        <Execution ProcessName="ATech.JobFramework.Job" ProcessID="122132" ThreadID="1" />

        <AssemblyVersion>6.4.10101.1061</AssemblyVersion>

        <Channel />

        <Computer>XVL0SMEMAPPAGR14</Computer>

    </System>

    <ApplicationData>

        <TraceData>

            <DataItem>

                <TraceRecord Severity="Error" xmlns=http://schemas.test.com/2014/10/a2ETraceEvent/TraceRecord>

                    <TraceIdentifier>ATech.Notifications</TraceIdentifier>

                    <Description>Error sending the email message generated for notification template 'Employee Training - ' with id = '237521.</Description>

                    <AppDomain>ATech.JobFramework.Job.exe</AppDomain>

                    <Exception>

                        <ExceptionType>ATech.Common.Exceptions.SendEmailNotificationException, ATech.Common, Version=6.4.10100.1051, Culture=neutral, PublicKeyToken=null</ExceptionType>

                        <Message>Error sending the email message generated for notification template 'Employee Training - with id = '237521'.</Message>

                        <Source />

                        <ContextData>

                            <Resolution>Please verify that the server configured in the ECPSA is reachable. For further support, please contact your system administrator.</Resolution>

                            <ServerAddress>Changeit-mail-relay</ServerAddress>

                        </ContextData>

                        <StackTrace />

                        <InnerException>

                            <ExceptionType>System.Net.Mail.SmtpException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=g77a5c561944t16</ExceptionType>

                            <Message>Failure sending mail.</Message>

                            <Source>System</Source>

                            <StackTrace>  

   at ATech.Notifications.Providers.Mail.DefaultSmtpProvider.Send(MailMessage mailMessage, Notification notification)</StackTrace>

                            <InnerException>

                                <ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=c77c52161934r19</ExceptionType>

                                <Message>The remote name could not be resolved</Message>

                                <Source>System</Source>

                                <StackTrace>   at System.Net.ServicePoint.GetConnection(PooledStream PooledStream, Object owner, Boolean async, IPAddress&amp; address, Socket&amp; abortSocket, Socket&amp;)

   at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)

   at System.Net.Mail.SmtpClient.GetConnection()

   at System.Net.Mail.SmtpClient.Send(MailMessage message)</StackTrace>

                            </InnerException>

                        </InnerException>

                    </Exception>

                </TraceRecord>

            </DataItem>

        </TraceData>

    </ApplicationData>

</a2ETraceEvent>

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It would be helpful to know what you've tried already and what those results were, but these settings may help.

TIME_PREFIX = TimeCreated SystemTime="
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
MAX_TIMESTAMP_LOOKAHEAD = 30
LINE_BREAKER = ([\r\n]+)\<a2ETraceEvent
SHOULD_LINEMERGE = false
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It would be helpful to know what you've tried already and what those results were, but these settings may help.

TIME_PREFIX = TimeCreated SystemTime="
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
MAX_TIMESTAMP_LOOKAHEAD = 30
LINE_BREAKER = ([\r\n]+)\<a2ETraceEvent
SHOULD_LINEMERGE = false
---
If this reply helps you, Karma would be appreciated.

SplunkDash
Motivator

Thank you so much. Your codes are working as expected. My mistake was assigning TIME_FORMAT and  LINE_BREAKER parameters.  Thank you again, appreciated!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...