<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Is it possible to ingest XML? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491485#M83973</link>
    <description>&lt;P&gt;It is 2019 and there is still not a comprehensive Splunk Answer or Documentation on how to ingest XML.&lt;/P&gt;

&lt;P&gt;Can someone explain to me how to configure props to ingest &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;?xml version="1.0" encoding="utf-8"?&amp;gt;
  &amp;lt;ArrayOfUser xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&amp;gt;
    &amp;lt;User&amp;gt;
      &amp;lt;Id&amp;gt;removed&amp;lt;/Id&amp;gt;
      &amp;lt;Uuid&amp;gt;removed&amp;lt;/Uuid&amp;gt;
      ... many more attributes at this same level ...
    &amp;lt;User&amp;gt;
    &amp;lt;User&amp;gt;
      &amp;lt;Id&amp;gt;removed&amp;lt;/Id&amp;gt;
      &amp;lt;Uuid&amp;gt;removed&amp;lt;/Uuid&amp;gt;
      ... many more attributes at this same level ...
    &amp;lt;User&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Wed, 20 Nov 2019 00:28:53 GMT</pubDate>
    <dc:creator>nick405060</dc:creator>
    <dc:date>2019-11-20T00:28:53Z</dc:date>
    <item>
      <title>Is it possible to ingest XML?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491485#M83973</link>
      <description>&lt;P&gt;It is 2019 and there is still not a comprehensive Splunk Answer or Documentation on how to ingest XML.&lt;/P&gt;

&lt;P&gt;Can someone explain to me how to configure props to ingest &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;?xml version="1.0" encoding="utf-8"?&amp;gt;
  &amp;lt;ArrayOfUser xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&amp;gt;
    &amp;lt;User&amp;gt;
      &amp;lt;Id&amp;gt;removed&amp;lt;/Id&amp;gt;
      &amp;lt;Uuid&amp;gt;removed&amp;lt;/Uuid&amp;gt;
      ... many more attributes at this same level ...
    &amp;lt;User&amp;gt;
    &amp;lt;User&amp;gt;
      &amp;lt;Id&amp;gt;removed&amp;lt;/Id&amp;gt;
      &amp;lt;Uuid&amp;gt;removed&amp;lt;/Uuid&amp;gt;
      ... many more attributes at this same level ...
    &amp;lt;User&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 20 Nov 2019 00:28:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491485#M83973</guid>
      <dc:creator>nick405060</dc:creator>
      <dc:date>2019-11-20T00:28:53Z</dc:date>
    </item>
    <item>
      <title>Re: Is it possible to ingest XML?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491486#M83974</link>
      <description>&lt;P&gt;This is not going to be props for your specific case (assuming you want each one of those users to be a separate event) but a similar example for props and transforms that I have to extract tracks from an itunes library XML file.&lt;BR /&gt;
They're also visible here: &lt;BR /&gt;
&lt;A href="https://github.com/smoreface/music_app_for_splunk/blob/master/default/transforms.conf" target="_blank"&gt;https://github.com/smoreface/music_app_for_splunk/blob/master/default/transforms.conf&lt;/A&gt;&lt;BR /&gt;
&lt;A href="https://github.com/smoreface/music_app_for_splunk/blob/master/default/props.conf" target="_blank"&gt;https://github.com/smoreface/music_app_for_splunk/blob/master/default/props.conf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;transforms stanza:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[itunes_xml]
CLEAN_KEYS = true
FORMAT = $1::$2
REGEX = &amp;lt;key&amp;gt;([^&amp;lt;]+)&amp;lt;/key&amp;gt;&amp;lt;[^&amp;gt;]+&amp;gt;([^&amp;lt;]+)&amp;lt;/
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;props stanza:&lt;BR /&gt;
    [itunes_xml]&lt;BR /&gt;
    FIELDALIAS-iTunes_xml_Normie = Album AS album Artist AS artist Date_Added AS date_added Name AS track_name Play_Count AS play_count Play_Date AS last_played Play_Date_UTC AS last_played_utc Rating AS rating Release_Date AS release_date Size AS file_size Total_Time AS track_length Track_Number AS track_number&lt;BR /&gt;
    SEDCMD-xml&amp;amp;&lt;EM&gt;to&lt;/EM&gt;&amp;amp; = s/&amp;amp;#38;/&amp;amp;/g&lt;/P&gt;

&lt;P&gt;Example XML being parsed:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;dict&amp;gt;
            &amp;lt;key&amp;gt;Track ID&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;10815&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Size&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;4338490&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Total Time&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;216816&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Track Number&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Track Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;10&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Year&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;2004&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Date Modified&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2007-01-20T22:07:34Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Date Added&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2008-07-27T03:52:43Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Bit Rate&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;160&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Sample Rate&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;44100&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Play Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Play Date&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;3319660819&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Play Date UTC&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2009-03-12T07:00:19Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Skip Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Skip Date&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2010-06-14T22:40:10Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Persistent ID&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;36990211F06BD125&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Track Type&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;File&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;File Folder Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;5&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Library Folder Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Name&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;Cry&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Artist&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;Sirens&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Album&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;Tied To The Mast&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Genre&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;Pop&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Kind&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;MPEG audio file&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Location&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;file:///Users/user/Music/iTunes/iTunes%20Music/Music/Sirens/Tied%20To%20The%20Mast/01%20Cry.mp3&amp;lt;/string&amp;gt;
        &amp;lt;/dict&amp;gt;
        &amp;lt;key&amp;gt;10817&amp;lt;/key&amp;gt;
        &amp;lt;dict&amp;gt;
            &amp;lt;key&amp;gt;Track ID&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;10817&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Size&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;4082943&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Total Time&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;254093&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Track Number&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Track Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;2&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Date Modified&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2008-01-15T02:13:52Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Date Added&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2008-07-27T03:52:43Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Bit Rate&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;128&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Sample Rate&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;44100&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Play Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;19&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Play Date&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;3441386101&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Play Date UTC&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2013-01-19T04:35:01Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Skip Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Skip Date&amp;lt;/key&amp;gt;&amp;lt;date&amp;gt;2009-02-10T22:07:13Z&amp;lt;/date&amp;gt;
            &amp;lt;key&amp;gt;Rating&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;40&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Album Rating&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;20&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Album Rating Computed&amp;lt;/key&amp;gt;&amp;lt;true/&amp;gt;
            &amp;lt;key&amp;gt;Persistent ID&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;36990211F06BD130&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Track Type&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;File&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;File Folder Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;5&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Library Folder Count&amp;lt;/key&amp;gt;&amp;lt;integer&amp;gt;1&amp;lt;/integer&amp;gt;
            &amp;lt;key&amp;gt;Name&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;Gone&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Artist&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;Straight No Chaser&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Kind&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;AAC audio file&amp;lt;/string&amp;gt;
            &amp;lt;key&amp;gt;Location&amp;lt;/key&amp;gt;&amp;lt;string&amp;gt;file:///Users/user/Music/iTunes/iTunes%20Music/Music/Straight%20No%20Chaser/Unknown%20Album/01%20Gone.m4a&amp;lt;/string&amp;gt;
        &amp;lt;/dict&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Hope this helps!&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 03:01:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491486#M83974</guid>
      <dc:creator>smoir_splunk</dc:creator>
      <dc:date>2020-09-30T03:01:32Z</dc:date>
    </item>
    <item>
      <title>Re: Is it possible to ingest XML?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491487#M83975</link>
      <description>&lt;P&gt;Just bring it in and set &lt;CODE&gt;KV_MODE = xml&lt;/CODE&gt; in &lt;CODE&gt;props.conf&lt;/CODE&gt; for your &lt;CODE&gt;sourcetype&lt;/CODE&gt; on your Search Head(s).&lt;/P&gt;</description>
      <pubDate>Wed, 20 Nov 2019 23:36:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Is-it-possible-to-ingest-XML/m-p/491487#M83975</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2019-11-20T23:36:31Z</dc:date>
    </item>
  </channel>
</rss>

