topic Re: KV_MODE not extracting xml fields in Getting Data In

KV_MODE not extracting xml fields

willcwhite — Thu, 09 Apr 2020 14:45:28 GMT

I have an app on a deployment server that runs a script and has splunk ingest the output which is valid xml. I've added a props.conf on the Search Heads with KV_MODE=xml but no fields are being extracted. When I run | xmlkv at the end of my query it extracts all xml fields. Is there anything I'm missing that would cause Splunk not to extract the xml fields automatically?

Thanks in advance

Re: KV_MODE not extracting xml fields

manjunathmeti — Thu, 09 Apr 2020 15:11:40 GMT

Can you post props.conf?

Re: KV_MODE not extracting xml fields

willcwhite — Wed, 30 Sep 2020 04:59:05 GMT

[mysourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
BREAK_ONLY_BEFORE=^\s+(<\w+:\w+>)
CHARSET=UTF-8
disabled=false
KV_MODE=xml
DATETIME_CONFIG=CURRENT
TRUNCATE=10000

This is the same props I have on the deployment server as well as the search heads

Re: KV_MODE not extracting xml fields

harsmarvania57 — Thu, 09 Apr 2020 15:27:20 GMT

Can you please provide raw data (mask any sensitive information) ? This answer might help you https://answers.splunk.com/answers/744449/how-to-parse-out-fields.html

Re: KV_MODE not extracting xml fields

willcwhite — Thu, 09 Apr 2020 17:44:59 GMT

    <d:GenID m:type="Edm.String">xxx</d:GenID>
    <d:PLANT_ID m:type="Edm.String">xxx</d:PLANT_ID>
    <d:TOTAL_SD_LINES m:type="Edm.Double">xxx</d:TOTAL_SD_LINES>
    <d:TOTAL_SD_LINES_WO_DELV m:type="Edm.Double">xxx</d:TOTAL_SD_LINES_WO_DELV>
    <d:TOTAL_DELV_LINES m:type="Edm.Double">xxx</d:TOTAL_DELV_LINES>
    <d:TOTAL_DELV_LINES_WO_TO m:type="Edm.Double">xxx</d:TOTAL_DELV_LINES_WO_TO>
    <d:TOTAL_TO_LINES m:type="Edm.Double">xxx</d:TOTAL_TO_LINES>
    <d:TOTAL_TO_LINES_CONFIRMED m:type="Edm.Double">xxx</d:TOTAL_TO_LINES_CONFIRMED>
    <d:TOTAL_TO_LINES_NOT_CONFIRMED m:type="Edm.Double">xx</d:TOTAL_TO_LINES_NOT_CONFIRMED>
  </m:properties>

Re: KV_MODE not extracting xml fields

to4kawa — Thu, 09 Apr 2020 19:55:23 GMT

| makeresults 
| eval _raw="<m:properties>
  <d:GenID m:type=\"Edm.String\">xxx</d:GenID>
  <d:PLANT_ID m:type=\"Edm.String\">xxx</d:PLANT_ID>
  <d:TOTAL_SD_LINES m:type=\"Edm.Double\">xxx</d:TOTAL_SD_LINES>
  <d:TOTAL_SD_LINES_WO_DELV m:type=\"Edm.Double\">xxx</d:TOTAL_SD_LINES_WO_DELV>
  <d:TOTAL_DELV_LINES m:type=\"Edm.Double\">xxx</d:TOTAL_DELV_LINES>
  <d:TOTAL_DELV_LINES_WO_TO m:type=\"Edm.Double\">xxx</d:TOTAL_DELV_LINES_WO_TO>
  <d:TOTAL_TO_LINES m:type=\"Edm.Double\">xxx</d:TOTAL_TO_LINES>
  <d:TOTAL_TO_LINES_CONFIRMED m:type=\"Edm.Double\">xxx</d:TOTAL_TO_LINES_CONFIRMED>
  <d:TOTAL_TO_LINES_NOT_CONFIRMED m:type=\"Edm.Double\">xx</d:TOTAL_TO_LINES_NOT_CONFIRMED>
</m:properties>
<m:properties>
  <d:GenID m:type=\"Edm.String\">xxx</d:GenID>
  <d:PLANT_ID m:type=\"Edm.String\">xxx</d:PLANT_ID>
  <d:TOTAL_SD_LINES m:type=\"Edm.Double\">xxx</d:TOTAL_SD_LINES>
  <d:TOTAL_SD_LINES_WO_DELV m:type=\"Edm.Double\">xxx</d:TOTAL_SD_LINES_WO_DELV>
  <d:TOTAL_DELV_LINES m:type=\"Edm.Double\">xxx</d:TOTAL_DELV_LINES>
  <d:TOTAL_DELV_LINES_WO_TO m:type=\"Edm.Double\">xxx</d:TOTAL_DELV_LINES_WO_TO>
  <d:TOTAL_TO_LINES m:type=\"Edm.Double\">yyy</d:TOTAL_TO_LINES>
  <d:TOTAL_TO_LINES_CONFIRMED m:type=\"Edm.Double\">xxx</d:TOTAL_TO_LINES_CONFIRMED>
  <d:TOTAL_TO_LINES_NOT_CONFIRMED m:type=\"Edm.Double\">xx</d:TOTAL_TO_LINES_NOT_CONFIRMED>
</m:properties>" 
| rex mode=sed "s/(?ms)([\r\n\s]+)\<m/#<m/g" 
| makemv delim="#" _raw 
| stats count by _raw 
| xmlkv

For this result, props.conf is following:

[yoursourcetype]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n\s]+)\<m
NO_BINARY_CHECK=true
CHARSET=UTF-8
disabled=false
KV_MODE=xml
DATETIME_CONFIG=CURRENT
TRUNCATE=0

How about this?

Re: KV_MODE not extracting xml fields

wwhite12 — Thu, 16 Apr 2020 16:50:24 GMT

This issue was that the app was not visible and in scope with the user. This issue was resolved by adding a metadata file in the SHC app as follows
shcluster/apps/appname/metadata/

File: default.meta

[]
export=system