topic How to convert a single XML event into multiple events? in Dashboards & Visualizations

How to convert a single XML event into multiple events?

lchandrakanth — Tue, 20 Oct 2015 18:58:37 GMT

Hi,

I have an XML file with multiple tags, I want to split it into multiple events. What are the configuration need to add in props.conf file

Here is the example,

INFO 2015-01-08 10:16:49  
<V_XML Version="2.0" Direction="Response">  
    <Enquiry >
    <Result />    
    <3DSID>...</3DSIDID>   
    <CHAID>...</CHAID>   
    <CHADD>...</CHADD>    
    <EC>...</EC>
    </Enquiry>
</V_XML>
-------------------
INFO 2015-01-08 10:16:50 
<V_XML Version="2.0" >
     <Transaction >
        <CHAID>...</CHAID>
        <CHADD>...</CHADD>
        <Amt>...</Amt>
        <Currency>...</Currency>
        <EC>...</EC>
        <ExpiryD>......</ExpiryD>
        <MerchantRef>...</MerchantRef>
        <CSCode>...</CSCode>
        <PAN>...</PAN>
      </Transaction>
    </V_XML>

Re: How to convert a single XML event into multiple events?

somesoni2 — Tue, 20 Oct 2015 19:46:07 GMT

Try something like this for your props.conf (on Indexer/Heavy Forwarder)

[YourSourceType]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\w+\s+\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2:}\d{2}
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TIME_PREFIX=^\w+\s+
MAX_TIMESTAMP_LOOKAHEAD=20

Re: How to convert a single XML event into multiple events?

lchandrakanth — Tue, 20 Oct 2015 20:01:12 GMT

Hi,

Thanks for the info and could you explain the LINE_BREAKER regx format? it will be very helpful for my reference.

Re: How to convert a single XML event into multiple events?

lchandrakanth — Tue, 20 Oct 2015 20:08:44 GMT

Thanks soni... I am understand it, the line break based on time stamp.

Re: How to convert a single XML event into multiple events?

somesoni2 — Tue, 20 Oct 2015 20:09:32 GMT

Basically on "INFO Timestamp" pattern.

Re: How to convert a single XML event into multiple events?

andrewb_splunk — Tue, 20 Oct 2015 20:10:30 GMT

Splunk documentation has good information on LINE_BREAKER. The topic http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Configureeventlinebreaking is a good starting point.