HI, me again. Woodman helped me sort out formatting which allowed me to crack on and get exactly what I need from Avaya Session manager logs presented in XML format pushed to a folder on the server.
We've now got our AVAYA CM (a seperate, but connected system) pushing it's CDR data directly into the Splunk server into port TCP 9005. I'm getting the data in, but I'm trying to get my head around the props and transform files.
I think currently the props.conf for the XML is having a knock on effect on the TCP dump.
In props I have
KV_MODE = xml
LINE_BREAKER = (<\/call>[\r\n\s]+[\r\n\s]+)
SHOULD_LINEMERGE = false
TIME_PREFIX = \
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
which is working perfectly for the XML
However my search on the TCP results in the file being displayed as a single event in each time period (_time)
060417 1625 00950 7 9 #901 07783384162 756958 028 0 0
060417 1625 01507 9 756958 07825722376 #901 065 0 0 893010
060417 1625 00017 9 754244 07860753736 #901 033 0 0 800614
060417 1625 00058 7 9 #901 07785592957 756837 133 0 0
060417 1625 00032 7 9 #901 01914876059 314010 138 0 0
060417 1626 00322 9 700468 0123456789 #901 161 0 0 800697
060417 1626 00214 9 700185 0987654321 #901 064 0 0 800637
I need to break each of those lines into separate events, without messing up the XML formatting. I can see lots of articles about transforms.conf and props.conf, but I can't get my head around it. I presuming my props.conf to fix the XML, is messing this up a little.
Telecoms and Windows background more than a DB background really doesn't help...
Thanks for any help once again.
Stu..
↧