Hi Team
Trying to ingest an xml file in the following raw format(extracted portion for sample but each event consists of much more values)
2015-08-08T00:00:00 23:58:00 MCP
I have line_breaked based on LINE_BREAKER row/s & used the TIME_PREFIX to date_of_stop. The events are broken nicely but the time value is picking up the value immediately following the date value which does not reflect the desired time_of_stop.
The following is the specified props.conf:
[source::/Users/daithi/Dataset_upload/montgomery-traffic-0809-sample.xml]
KV_MODE=xml
LINE_BREAKER=([\r\n]*)(?=\
MAX_TIMESTAMP_LOOKAHEAD=85
TIME_FORMAT=%Y-%m-%d\w\d\d:\d\d:\d\d\<\/date_of_stop\>%n\%H:%M:%S
When I run the preview of the data input however, I get the following results:
![alt text][1]
I also tried to utilise the datetime.xml approach with a dummy mydatetime.xml & added the following lines based on reading other answers:date_of_stop>(\d{4})-(\d{2})-(\d{2}) time_of_stop>(\d{2}):(\d{2}):(\d{2})
# MAX_TIMESTAMP_LOOKAHEAD=85
# TIME_FORMAT=%Y-%m-%d\w\d\d:\d\d:\d\d\<\/date_of_stop\>%n\%H:%M:%S
But then receive the following when viewing a preview of the data set (after a reboot of Splunk services)
![alt text][2]
[1]: /storage/temp/158200-screen-shot-2016-09-01-at-35710-pm.png
[2]: /storage/temp/158201-screen-shot-2016-09-01-at-40750-pm.png
I've reviewed all the splunk answers to questions related & applied a number of other variations but have not had a successful result where Splunk bypasses the time automatically detected starlight after the date_of_stop value. I'm not convinced either that the datetime.xml is the right approach but it is where the documentation has led me to this point.
|
|
↧