topic Re: Dumping XML logs in Getting Data In

Dumping XML logs

20065945 — Wed, 23 Jul 2014 05:32:20 GMT

I want to dump the following XML log file keeping in mind the fact that it should give all the tags as a fields such that I could search the events where

Text="Application: Directory started" Category="BIG" Module="WorkflowHost"

What should I write in props.conf

b476f836-36dd-4c30-9a8e-0587c5d34b8d
2014-01-09 10:45:31.69
Application: Directory started
BIG
Workflow
Event
General
WorkflowHost

0
5420
e2ac3262e9b9d03f

b476f836-36dd-4c30-9a8e-0587c5d34b8d
2014-01-09 10:45:41.57
Application: PatientDirectory started
BIG
PatientDirectory
Event
General
PatientDirectory

0
2180
e2ac3262e9b9d03f

b476f836-36dd-4c30-9a8e-0587c5d34b8d
2014-01-09 10:45:42.15
Application: Report started
BIG
Workflow
Event
General
WorkflowHost

0
5420
e2ac3262e9b9d03f

PLs help....:)

Re: Dumping XML logs

strive — Wed, 23 Jul 2014 05:46:45 GMT

Check these

http://answers.splunk.com/answers/52391/xml-input

http://answers.splunk.com/answers/683/xml-input-line-breaking-and-field-extraction-how

http://answers.splunk.com/answers/29212/extracting-xml-log-files

Re: Dumping XML logs

20065945 — Wed, 23 Jul 2014 12:48:18 GMT

Thanks strive but I went through all these links. There is no solution over there. All the conversations are stuck at one point. Hence failure. 🙂

Re: Dumping XML logs

somesoni2 — Wed, 23 Jul 2014 15:01:03 GMT

This works fine for me with your sample data.

On Indexer,

props.conf

[thexml]
BREAK_ONLY_BEFORE = ^\<message\>
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT-xmlext = xmlkv-alternative

transforms.conf

[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2