topic REST API modular input xml data parsing in All Apps and Add-ons

REST API modular input xml data parsing

leeyounsoo — Tue, 29 Sep 2020 19:02:56 GMT

hello splunk
i have a question that About extracting by specifying sourcetype in props.conf.
i want parsing xml data that Xml data received in response
but that data is not parsing

this is my develop environment
1. use REST API
- use REST API modular input
- Every 300 seconds https call setting
- index=main sourcetype=ex_st
- install in heavy Forwarder

cluster
1 search head (heavy forwarder and indexer master in 1 search header)
2 indexer(cluster)
props.conf [xmlData] category = Custom SHOULD_LINEMERGE = true KV_MODE = xml disabled = false TRUNCATE = 0 BREAK_ONLY_BEFORE = NO_BINARY_CHECK = true description = XML Data Field extract
received xml data sample

Re: REST API modular input xml data parsing

Damien_Dallimor — Tue, 17 Apr 2018 23:19:20 GMT

Is that XML above an example of what you want to be indexed ?

Re: REST API modular input xml data parsing

leeyounsoo — Tue, 29 Sep 2020 19:07:54 GMT

yes.
i want parsing event from that one xml data
like this :

event parsing
event parsing by "data" tag

----------1st evnet ----------
data
...(skip)
/data

----------2nd evnet ----------
data
...(skip)
/data

field extraction
fields data_tag0, data_tag1, data_tag2 ....(skip)

Re: REST API modular input xml data parsing

leeyounsoo — Wed, 02 May 2018 01:36:15 GMT

I knew why it was not automatically parsed and I solved it.

The reason it has not been parsed is that the XML data passed to the response is so large that the event is restricted and the XML structure is corrupted.

i modified the "TRUNCATE" setting to include all the XML data in one event so that it was automatically parsed.

Here is the props.conf configuration.

[xml_data]
KV_MODE = xml
# BREAK_ONLY_BEFORE = \<data_list_wrap
BREAK_ONLY_BEFORE = \ <\? Xml version = \ "1 \ .0 \" encoding = \ "UTF-8 \" \?
SHOULD_LINEMERGE = true
TRUNCATE = 70000