Hello there,
I have a number of applications that I want to log to Splunk. I will be sending the data in an XML format via a UDP listener. The data that is being sent looks like:
<log4j:event logger="ASP.global_asax" level="INFO" timestamp="1303830487907" thread="15"><log4j:message>New session started</log4j:message><log4j:properties><log4j:data name="log4japp" value="4ef113dd-9-129483040292873753(4644)" /><log4j:data name="log4jmachinename" value="W7-SUN-JSTANTON" /></log4j:properties></log4j:event>
However when it is processed by Splunk it appears like:
`Apr 26 16:18:09 127.0.0.1 log4j:messageNew session started/log4j:messagelog4j:properties /log4j:properties/log4j:event
Basically it looks like Splunk looks like it has overwritten the opening node, and as a result lossing the log level data, with the datetime that it received it. The applications that are sending it are using nLog with a log4j type target (with an Log4JXmlEventLayout layout). I have configured the sourcetype as log4jxml (custom name) but I think I need to tell it not to do something with the date/time field in the props.conf file (but not too sure what that something is).
I am also using the windows version of Splunk so the file paths are slightly different to the online manuals.
Any help would be most welcome.
Kind regards
Jonathan
... View more