I am trying to create an event based on the xml data below. It repeats in the xml file multiple times. The Event starts at and ends with . Start time and endtime is . I haven't been able to get the props.conf file to break down the xml to create the events around this. Since the event has multiple time stamps in it, it is creating an event per time stamp. What am I doing wrong? and is there a way to remove the unnecessary data like between and .
props.conf
[log_xml]
BREAK_ONLY_BEFORE=<machine>
BREAK_ONLY_BEFORE_DATE=False
TIME_PREFIX=<start_time>
MAX_TIMESTAMP_LOOKAHEAD=20
SHOULD_LINEMERGE=True
XML FILE
<machine>
<machine_name>machine.splunk.net</machine_name>
<info>-- The Enterprise Vault entities on machine.splunk.net have been placed in backup mode. --</info>
<info>Network control connection is established between IP:port <--> IP:port</info>
<info>Network data connection is established between IP:Port <--> IP:port</info>
<set>
<set_resource_name>whatever resource</set_resource_name>
<tape_name>Family Name: "Media created 6/9/2014 6:00:03 PM"</tape_name>
- <volume>
<display_volume>Backup of "Machine name"</display_volume>
</volume>
<description>Backup set #4 on storage media #1 Backup set description: "prd-vault-diff"</description>
<backup_type>Backup Method: Differential</backup_type>
<start_time>Backup started on 6/9/2014 at 11:01:37 PM.</start_time>
- <directory>
<directory_name>Directory \</directory_name>
- <directory>
- <directory>
<directory_name>Directory \EVVaultStores</directory_name>
</directory>
- <directory>
<directory_name>Directory \EVVaultStores\VSFSA Ptn1</directory_name>
<file>PartitionSecuredNotification.xml</file>
</directory>
</directory>
</directory>
<end_time>Backup completed on 6/9/2014 at 11:01:38 PM.</end_time>
- <summary>
<misc>Backed up 1 file in 3 directories.</misc>
<new_processed_bytes>Processed 1,161 bytes in 1 second.</new_processed_bytes>
<vlm_hist_rateformat2>Throughput rate: 0.066 MB/min</vlm_hist_rateformat2>
</summary>
<filler>----------------------------------------------------------------------</filler>
</set>
<info>-- The Enterprise Vault entities on machine.splunk.net have been taken out of backup mode. --</info>
<filler>----------------------------------------------------------------------</filler>
</machine>
... View more