Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: PROPS Configuration for XML source
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have some issues writing PROPS configuration for XML source file. Sample XML events (2 Events) are given below. Any help will be highly appreciated. Thank you so much.
TIME_PREFIX=
TIME_FORMAT=
LINE_BREAKER=
--------------------------------
<a2ETraceEvent xmlns=http://schemas.test.com/2014/06/a2ETraceEvent>
<System xmlns=http://schemas.test.com/2014/08/windows/events/systems>
<EventID>0</EventID>
<Type>3</Type>
<SubType Name="Error">0</SubType>
<Level>2</Level>
<TimeCreated SystemTime="2021-07-20T04:00:53.4370283Z" />
<Source Name="ATech.Notifications" />
<Correlation ActivityID="{975c26b1-7acd-4ea0-8ad6-d7be1358e5fc}" />
<Execution ProcessName="ATech.JobFramework.Job" ProcessID="292132" ThreadID="1" />
<AssemblyVersion>6.4.10100.1051</AssemblyVersion>
<Channel />
<Computer>XVL0SMEMAPPAGR14</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord Severity="Error" xmlns=http://schemas.test.com/2014/10/a2ETraceEvent/TraceRecord>
<TraceIdentifier>ATech.Notifications</TraceIdentifier>
<Description>Error sending the email message generated for notification template 'Employee Training - ' with id = '12552'.</Description>
<AppDomain>ATech.JobFramework.Job.exe</AppDomain>
<Exception>
<ExceptionType>ATech.Common.Exceptions.SendEmailNotificationException, ATech.Common, Version=6.4.10100.1051, Culture=neutral, PublicKeyToken=null</ExceptionType>
<Message>Error sending the email message generated for notification template 'Employee Training - with id = '12552'.</Message>
<Source />
<ContextData>
<Resolution>Please verify that the server configured in the ECPSA is reachable. For further support, please contact your system administrator.</Resolution>
<ServerAddress>Changeit-mail-relay</ServerAddress>
</ContextData>
<StackTrace />
<InnerException>
<ExceptionType>System.Net.Mail.SmtpException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934a19</ExceptionType>
<Message>Failure sending mail.</Message>
<Source>System</Source>
<StackTrace> at System.Net.Mail.SmtpClient.Send(MailMessage message)
at ATech.Notifications.Providers.Mail.DefaultSmtpProvider.Send(MailMessage mailMessage, Notification notification)</StackTrace>
<InnerException>
<ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=c77a52161934e08</ExceptionType>
<Message>The remote name could not be resolved</Message>
<Source>System</Source>
<StackTrace>
at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)
at System.Net.Mail.SmtpClient.GetConnection()
at System.Net.Mail.SmtpClient.Send(MailMessage message)</StackTrace>
</InnerException>
</InnerException>
</Exception>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</a2ETraceEvent>
<a2ETraceEvent xmlns=http://schemas.test.com/2014/06/a2ETraceEvent>
<System xmlns=http://schemas.test.com/2014/08/windows/events/systems>
<EventID>1</EventID>
<Type>3</Type>
<SubType Name="Error">2</SubType>
<Level>1</Level>
<TimeCreated SystemTime="2021-07-20T04:00:54.4370283Z" />
<Source Name="ATech.Notifications" />
<Correlation ActivityID="{875c26b1-7acd-2ea0-8ad6-d7be1358e5f1}" />
<Execution ProcessName="ATech.JobFramework.Job" ProcessID="122132" ThreadID="1" />
<AssemblyVersion>6.4.10101.1061</AssemblyVersion>
<Channel />
<Computer>XVL0SMEMAPPAGR14</Computer>
</System>
<ApplicationData>
<TraceData>
<DataItem>
<TraceRecord Severity="Error" xmlns=http://schemas.test.com/2014/10/a2ETraceEvent/TraceRecord>
<TraceIdentifier>ATech.Notifications</TraceIdentifier>
<Description>Error sending the email message generated for notification template 'Employee Training - ' with id = '237521.</Description>
<AppDomain>ATech.JobFramework.Job.exe</AppDomain>
<Exception>
<ExceptionType>ATech.Common.Exceptions.SendEmailNotificationException, ATech.Common, Version=6.4.10100.1051, Culture=neutral, PublicKeyToken=null</ExceptionType>
<Message>Error sending the email message generated for notification template 'Employee Training - with id = '237521'.</Message>
<Source />
<ContextData>
<Resolution>Please verify that the server configured in the ECPSA is reachable. For further support, please contact your system administrator.</Resolution>
<ServerAddress>Changeit-mail-relay</ServerAddress>
</ContextData>
<StackTrace />
<InnerException>
<ExceptionType>System.Net.Mail.SmtpException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=g77a5c561944t16</ExceptionType>
<Message>Failure sending mail.</Message>
<Source>System</Source>
<StackTrace>
at ATech.Notifications.Providers.Mail.DefaultSmtpProvider.Send(MailMessage mailMessage, Notification notification)</StackTrace>
<InnerException>
<ExceptionType>System.Net.WebException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=c77c52161934r19</ExceptionType>
<Message>The remote name could not be resolved</Message>
<Source>System</Source>
<StackTrace> at System.Net.ServicePoint.GetConnection(PooledStream PooledStream, Object owner, Boolean async, IPAddress& address, Socket& abortSocket, Socket&)
at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)
at System.Net.Mail.SmtpClient.GetConnection()
at System.Net.Mail.SmtpClient.Send(MailMessage message)</StackTrace>
</InnerException>
</InnerException>
</Exception>
</TraceRecord>
</DataItem>
</TraceData>
</ApplicationData>
</a2ETraceEvent>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful to know what you've tried already and what those results were, but these settings may help.
TIME_PREFIX = TimeCreated SystemTime="
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
MAX_TIMESTAMP_LOOKAHEAD = 30
LINE_BREAKER = ([\r\n]+)\<a2ETraceEvent
SHOULD_LINEMERGE = falseIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful to know what you've tried already and what those results were, but these settings may help.
TIME_PREFIX = TimeCreated SystemTime="
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
MAX_TIMESTAMP_LOOKAHEAD = 30
LINE_BREAKER = ([\r\n]+)\<a2ETraceEvent
SHOULD_LINEMERGE = falseIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much. Your codes are working as expected. My mistake was assigning TIME_FORMAT and LINE_BREAKER parameters. Thank you again, appreciated!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Tiling
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
