Splunk拆分xml日志事件

时间:2014-03-13 12:46:50

标签: log4net splunk

我们有将日志记录到单个文件的日志。每个日志条目如下所示:

<LogEntry>
  <UserName>IIS APPPOOL\ASP.NET v4.0</UserName>
  <TimeStamp>02/28/2014 13:54:17</TimeStamp>
  <ThreadName>20</ThreadName>
  <CorrelationId>7a0d464d-556c-4d47-820f-0cf01322e54c</CorrelationId>
  <LoggerName>-Api-booking</LoggerName>
  <Level>INFO</Level>
  <Identity></Identity>
  <Domain>API-1-130380690118132000</Domain>
  <CreatedOn>02/28/2014 13:54:22</CreatedOn>
  <ExceptionObject />
  <RenderedMessage>"7a0d464d-556c-4d47-820f-0cf01322e54c" - "GET https://myapi.com/booking" - API-"Response": 
"Unauthorized"</RenderedMessage>
</LogEntry>

当我们将这些日志导入Splunk时,日志条目被错误地分成3个部分,例如

1 - 

<LogEntry>
  <UserName>IIS APPPOOL\ASP.NET v4.0</UserName>

2 - 

<CreatedOn>02/28/2014 02:57:55</CreatedOn>
  <ExceptionObject />
  <RenderedMessage>"66d8cdda-ff62-480a-b7d2-ec175b151e5f" - "POST https://myapi.com/booking" - API-"Response": 
"Bad Request"</RenderedMessage>
</LogEntry>

3 - 

<TimeStamp>02/28/2014 02:57:29</TimeStamp>
  <ThreadName>21</ThreadName>
  <CorrelationId>66d8cdda-ff62-480a-b7d2-ec175b151e5f</CorrelationId>
  <LoggerName>-Api-booking</LoggerName>
  <Level>INFO</Level>
  <Identity></Identity>
  <Domain>/LM/W3SVC/1/ROOT/Api-1-130380256918440000</Domain>

如何配置Splunk以将其视为单个日志事件?

1 个答案:

答案 0 :(得分:1)

props.conf(注意LINE_BREAKER

[your_xml_sourcetype]
TIME_PREFIX = <TimeStamp>
MAX_TIMESTAMP_LOOKAHEAD = 19
TZ = GMT
# A performance tweak is to disable SHOULD_LINEMERGE and then set the 
# LINE_BREAKER to "line ending characters coming before a new time stamp"
# (note the direct link of the TIME_FORMAT to the regex of LINE_BREAKER).
TIME_FORMAT = %m/%d/%Y %T
LINE_BREAKER = ([\r\n]+)<LogEntry>
SHOULD_LINEMERGE = False
# 10000 is default, should be set on a case by case basis
TRUNCATE = 5000

# If the data does not have nice key=value pairs, (or some other readily
# machine parseable format, like JSON or XML), set KV_MODE = none so that
# Splunk doesn't spin its wheels on attempting to look for key = value
# pairs which don't exist.
KV_MODE = xml

# Leaving PUNCT enabled can impact indexing performance. Customers can
# comment this line if they need to use PUNCT
ANNOTATE_PUNCT = false

此处提供更多信息:http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

相关问题
最新问题