topic Re: How to add and parse XML data in Splunk? in Getting Data In

How to add and parse XML data in Splunk?

prijila — Mon, 17 Nov 2014 19:48:07 GMT

Hi,
I have an XML file as my source file. It has the following structure:

<photos>
     <photo id="123" title="Birthday" format="jpg">
          <owner id="1111">Jason</owner>
          <comments>
              <comment ownerid="112">Good pic!</comment>
              <comment ownerif="223">Happy birthday</comment>
          <comments>
      </photo>
</photos>

How do i parse this and load this data into splunk?

Thank you in advance.

Re: How to add and parse XML data in Splunk?

Raghav2384 — Mon, 17 Nov 2014 19:53:38 GMT

xmlkv and path should help you. Please refer this answer http://answers.splunk.com/answers/54957/how-to-extract-data-from-xml.html
Hope this helps.
Thanks,
Raghav

Re: How to add and parse XML data in Splunk?

aljohnson_splun — Tue, 18 Nov 2014 00:30:09 GMT

This might be helpful:
http://answers.splunk.com/answers/683/xml-input-line-breaking-and-field-extraction-how.html

Re: How to add and parse XML data in Splunk?

vasanthmss — Tue, 18 Nov 2014 17:38:38 GMT

Hi,

sample xml,

<photos>
<photo id="1231" title="Birthday" format="jpg">
<owner id="1112">Jason</owner>
<comments>
<comment ownerid="113">Good pic!</comment>
<comment ownerid="224">Happy birthday</comment>
<comments>
</photo>
</photos>

props.conf

[yoursourcetype]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<photos>)
MUST_BREAK_AFTER = \</photos\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
FIELDALIAS-rootfields = photo.owner as Owner photo{@id} as PhotoID photo{@title} as PhotoTitle photo.owner{@id} as PhotoOwnerID photo{@format} as PhotoFormat photo.comments.comment{@ownerid} as CommentOwnerID photo.comments.comment as Comment

index=<yourindex> sourcetype=<yoursourcetype> | table  PhotoID,PhotoTitle,PhotoFormat,CommentOwnerID,Comment,Owner

Re: How to add and parse XML data in Splunk?

ifremer2015 — Tue, 21 Apr 2015 23:04:02 GMT

Which props.con should we modify ? ../etc/system or ..etc/apps

Thank you !

Re: How to add and parse XML data in Splunk?

krishnarajb2304 — Mon, 10 Aug 2015 18:49:06 GMT

In-case if the sourcetype belongs to one application you can update this in application (/etc/apps//local/props.conf.

The same sourcetype can be re-used in more than one application you can add it in system props.conf
/etc/system/local/props.conf.

Re: How to add and parse XML data in Splunk?

donaldwayne1975 — Wed, 15 Mar 2017 13:58:16 GMT

Very helpful. working with an XML that the designer decided to embed more fields in the value between the tags like this:
$field1=stuff,$field2=morestuff,$field3=evenmorestuff
Have not found a way to get these $fields to extract successfully. Suggestions?

Re: How to add and parse XML data in Splunk?

akocak — Thu, 30 Aug 2018 22:04:29 GMT

@donaldwayne1975
You can add EVAL into your props for this.

Re: How to add and parse XML data in Splunk?

RMcCurdyDOTcom — Tue, 26 Sep 2023 13:59:51 GMT

nmap XML to SPLUNK HEC !!!

https://github.com/freeload101/SCRIPTS/blob/b3f83288a9f289d86f6cdd04898478d0427097ce/Bash/NMAP_FRUIT.sh#L80

Re: How to add and parse XML data in Splunk?

RMcCurdyDOTcom — Wed, 06 Mar 2024 18:13:02 GMT

got nasty gram for posting links

search online for freeload101 github in scripts nmap_fruit.sh