https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162675#M10008 <P>is possible to index the XML pattern data into splunk and do Splunk search?</P> <P>In our case, we need to index the XML and co-relate the other logs using Splunk. Can you please suggest the best approach.</P> <P>Sample Data:</P> <P><LISTPERSONATTRIBUTES recordcount="717"><BR /> <PERSONATTRIBUTE id="3"><BR /> <NAME>firstName</NAME><BR /> <DESC>firstName</DESC><BR /> <ATTRIBUTETYPE>STRING</ATTRIBUTETYPE><BR /> <ISIMMUTABLE>true</ISIMMUTABLE><BR /> <CREATEDDATETIME>2008-07-03 02:41:19.0</CREATEDDATETIME><BR /> </PERSONATTRIBUTE><BR /> <PERSONATTRIBUTE id="4"><BR /> <NAME>lastName</NAME><BR /> <DESC>Last Name</DESC><BR /> <ATTRIBUTETYPE>STRING</ATTRIBUTETYPE><BR /> <ISIMMUTABLE>false</ISIMMUTABLE><BR /> <CREATEDDATETIME>2008-10-14 02:35:24.0</CREATEDDATETIME><BR /> </PERSONATTRIBUTE><BR /> <PERSONATTRIBUTE id="6"><BR /> <NAME>middleName</NAME><BR /> <DESC>Middle Name</DESC><BR /> <ATTRIBUTETYPE>STRING</ATTRIBUTETYPE><BR /> <ISIMMUTABLE>true</ISIMMUTABLE><BR /> <CREATEDDATETIME>2007-11-30 01:12:55.0</CREATEDDATETIME><BR /> </PERSONATTRIBUTE><BR /> </LISTPERSONATTRIBUTES></P> Tue, 13 May 2014 20:21:17 GMT dhavamanis 2014-05-13T20:21:17Z https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162675#M10008 <P>is possible to index the XML pattern data into splunk and do Splunk search?</P> <P>In our case, we need to index the XML and co-relate the other logs using Splunk. Can you please suggest the best approach.</P> <P>Sample Data:</P> <P><LISTPERSONATTRIBUTES recordcount="717"><BR /> <PERSONATTRIBUTE id="3"><BR /> <NAME>firstName</NAME><BR /> <DESC>firstName</DESC><BR /> <ATTRIBUTETYPE>STRING</ATTRIBUTETYPE><BR /> <ISIMMUTABLE>true</ISIMMUTABLE><BR /> <CREATEDDATETIME>2008-07-03 02:41:19.0</CREATEDDATETIME><BR /> </PERSONATTRIBUTE><BR /> <PERSONATTRIBUTE id="4"><BR /> <NAME>lastName</NAME><BR /> <DESC>Last Name</DESC><BR /> <ATTRIBUTETYPE>STRING</ATTRIBUTETYPE><BR /> <ISIMMUTABLE>false</ISIMMUTABLE><BR /> <CREATEDDATETIME>2008-10-14 02:35:24.0</CREATEDDATETIME><BR /> </PERSONATTRIBUTE><BR /> <PERSONATTRIBUTE id="6"><BR /> <NAME>middleName</NAME><BR /> <DESC>Middle Name</DESC><BR /> <ATTRIBUTETYPE>STRING</ATTRIBUTETYPE><BR /> <ISIMMUTABLE>true</ISIMMUTABLE><BR /> <CREATEDDATETIME>2007-11-30 01:12:55.0</CREATEDDATETIME><BR /> </PERSONATTRIBUTE><BR /> </LISTPERSONATTRIBUTES></P> Tue, 13 May 2014 20:21:17 GMT https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162675#M10008 dhavamanis 2014-05-13T20:21:17Z https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162676#M10009 <P>Yes indeed. Have look at the other post on similar lines.</P> <P><A href="http://answers.splunk.com/answers/70619/parsing-xml-log-files" target="_blank">http://answers.splunk.com/answers/70619/parsing-xml-log-files</A></P> <P><A href="http://answers.splunk.com/answers/2141/xml-log-source-type" target="_blank">http://answers.splunk.com/answers/2141/xml-log-source-type</A></P> <P><A href="http://answers.splunk.com/answers/28619/indexing-xml-log-file-input" target="_blank">http://answers.splunk.com/answers/28619/indexing-xml-log-file-input</A></P> <P>Update:<BR /> Try this (corrected regex and added MAX_DAYS_AGO to accommodate your older date values, increase more if you have timestamp older than then 4000 days( close to 12 years)</P> <P><STRONG>props.conf</STRONG> </P> <PRE><CODE>[fastone] BREAK_ONLY_BEFORE = (\&lt;personattribute\sid|\&lt;/listpersonattribute) NO_BINARY_CHECK = 1 REPORT-xmlext = xml-extr SHOULD_LINEMERGE = true TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N TIME_PREFIX = \&lt;createddatetime\&gt; pulldown_type = 1 REPORT-xmlext = xml-extr MAX_DAYS_AGO = 4000 </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[xml-extr] REGEX = \&lt;(\w+)\&gt;([^\&gt;]*)\&lt;/ FORMAT = $1::$2 MV_ADD = true REPEAT_MATCH = true </CODE></PRE> <P>Regarding the date </P> Mon, 28 Sep 2020 16:36:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162676#M10009 somesoni2 2020-09-28T16:36:06Z https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162677#M10010 <P>@somesoni2 - if you put answers in the Answers box, then good things can happen: first, you can get credit for your answers. Second, and much more important: other users will see this as an ANSWERED question and so they will look at if they need help. So you will be helping many more people. UNANSWERED questions (like this one) are ignored by people who are looking for answers.<BR /> Please put answers in the Answers box!</P> Tue, 13 May 2014 21:26:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162677#M10010 lguinn2 2014-05-13T21:26:25Z https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162678#M10011 <P>Thank you, i am getting this error for line breaking and also event date not extracting from the xml attribute "createdDateTime", </P> <P>Line breaking regex has no capturing groups: &gt;\s*(?=&lt;personAttribute&gt;)</P> <P>We want to extract as a fields from each element in the xml. Can you please review the below,</P> <P>transforms.conf<BR /> [xml]<BR /> LINE_BREAKER = &gt;\s*(?=&lt;personAttribute&gt;)<BR /> TIME_PREFIX = &lt;createdDateTime&gt;<BR /> TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N<BR /> SHOULD_LINEMERGE = true<BR /> KV_MODE=xml<BR /> REPORT-xmlext = xml-extr</P> <P>props.conf<BR /> [xml-extr]<BR /> REGEX = &lt;(w+)&gt;([^&lt;]*)<BR /> FORMAT = $1::$2<BR /> MV_ADD = true<BR /> REPEAT_MATCH = true</P> Mon, 28 Sep 2020 16:36:46 GMT https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162678#M10011 dhavamanis 2020-09-28T16:36:46Z https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162679#M10012 <P>Try the updated answer.</P> Wed, 14 May 2014 19:18:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/is-possible-to-index-XML/m-p/162679#M10012 somesoni2 2014-05-14T19:18:04Z