This is related to http://answers.splunk.com/questions/2141/xml-log-source-type How would I remove line breaks found inside elements <Sql_Text>...</Sql_Text> . Many of the SQL statements inside <Sql_Text> tags have hard line breaks often at very undesirable places. For example: <Sql_Text>UPDATE APP_USR SET CONTACT_ID = 2 WHERE APP_ ID = 64 </Sql_Text> I need it to look like this to make searching possible: <Sql_Text> UPDATE APP_USR SET CONTACT_ID = 2 WHERE APP_ID = 64 </Sql_Text> or even this <Sql_Text>UPDATE APP_USR SET CONTACT_ID = 2 WHERE APP_ID = 64</Sql_Text> Thanks. ... View more

I cannot find much helpful documentation on handling XML log files. This link seems to be on the right track but what happens if I have multiple log file formats with different element names: http://www.splunk.com/wiki/Deploy:HowToWorkWithXMLLogFiles Am I supposed to see xml_file as a source file type? I don't see it in the list of source types. Here's what I'm wanting to parse. Its an Oracle database xml audit log: <?xml version="1.0" encoding="UTF-8"?> <Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-10_2.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-10_2.xsd"> <Version>10.2</Version> <AuditRecord> <Audit_Type>1</Audit_Type> <Session_Id>735807</Session_Id> <StatementId>9</StatementId> <EntryId>1</EntryId> <Extended_Timestamp>2010-05-02T23:14:49.399000</Extended_Timestamp> <DB_User>FRAMEWK</DB_User> <Client_Id>framewk</Client_Id> <OS_User>jsoap</OS_User> <Userhost>BIOA171</Userhost> <OS_Process>1680:6008</OS_Process> <Terminal>unknown</Terminal> <Instance_Number>0</Instance_Number> <Object_Schema>FRAMEWK</Object_Schema> <Object_Name>APP_USER</Object_Name> <Action>3</Action> <Returncode>0</Returncode> <Scn>1098595781</Scn> <Sql_Text>SELECT ... FROM ...</Sql_Text> </AuditRecord> </Audit> ... View more