Community:HowToWorkWithXMLLogFiles

From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Tips for working with XML log files

By default, the settings in apps/config/default/props.conf cause each XML file to be processed as one single event (there are no linebreaking rules). This is fine for plain XML content, but is not ideal for handling XML log files. To handle these, create a new source type definition in /apps/config/local/props.conf and including linebreaking rules that are appropriate for your XML log data.

Important: Splunk recommends that you make this change in /apps/config/local/props.conf and not in apps/config/default/props.conf. Otherwise, your changes will be overwritten when you upgrade Splunk.


If you have some linebreaking rules that work for a product that logs in XML, feel free to post them here with some descriptive info.

Example

This example shows an mercado_xml stanza defined for the xml log file format that Mercado generates.


[mercado_xml]
TIME_PREFIX = ^.*TM\=\" 
TIME_FORMAT = %m-%dT%T
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = ^\<Log\s+\w+=
MUST_BREAK_AFTER = Log>

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk