I was having a challenging time to get XML indexed from a Windows server but finally got it in using the following:
Inputs.conf
[monitor://D:\data\applog\]
sourcetype = applog_xml
_whitelist = .*\.xml
crcSalt = <SOURCE>
Props.conf
[applog_xml]
MAX_EVENTS = 20000
TIME_PREFIX = \<TimeStamp\>
MAX_TIMESTAMP_LOOKAHEAD = 500
All my *.xml files lived under D:\data\applog\
Because the file is sooooo long I needed to extend how many lines the xml could be and successfully index, so I set it HIGH, 20,000
My time stamp wasn't listed until several hundred characters into the xml file so I went further than I needed to so I was sure to grab it, set it so 500
pstein
... View more