Hi,
I have xml data that can have up to 500+ lines but Splunk is truncating at 257 lines. I've been trying combinations of LINE_BREAK and BREAK_ONLY_BEFORE, but no luck. I'm not sure if it's my regex or my config files or what.
thanks,
mike
I defined the stanza in inputs.conf:
[monitor:///app/freeswitch/cdrs/*.xml]
sourcetype = conf_cdr_xml
Here's my props.conf:
[conf_cdr_xml]
KV_MODE = xml
SHOULD_LINEMERGE = false
BREAK_ONLY_BEFORE = \<\/cdr\>
MAX_EVENTS = 100000
TRUNCATE=100000
NO_BINARY_CHECK = true
pulldown_type = true
And here is an example event:5551231234-1234567test@test.net8000201521040386152104038815210403861521040388truetruefalsefalse5553214321XMLDEMO SITE5553214321555321432110.1.1.1655551231234;conf=555;mod;tone=NO_SOUNDS2dccfdde-279a-11e8-99a6-5903ab961f76mod_sofiapublicsofia/internal/5553214321@10.1.1.12515210403861521040388truetruefalsefalse5553214321XMLDEMO SITE5553214321555321432110.1.1.1655551231234;conf=555;mod;tone=NO_SOUNDS2dccfdde-279a-11e8-99a6-5903ab961f76mod_sofiapublicsofia/internal/5553214321@10.1.1.125