https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345996#M22539 <P>Gorgeous - thank you !! we ended up extracting the XML fields using a series such as - <CODE>spath mlcpMetricsModel.env</CODE> ...</P> Mon, 07 Aug 2017 15:19:20 GMT ddrillic 2017-08-07T15:19:20Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345992#M22535 <P>We have data as XML documents. How can we index each XML document as one Splunk event?</P> <P>A sample -</P> <PRE><CODE>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt; &lt;mlcpMetricsModel xmlns="http://xxxxxxx"&gt; &lt;canonical&gt;xxxxxx&lt;/canonical&gt; &lt;duration&gt;PT41M3.401S&lt;/duration&gt; &lt;env&gt;PROD&lt;/env&gt; &lt;ecmProcDateTime&gt;20170727_M&lt;/ecmProcDateTime&gt; &lt;outputRecords&gt;4948262&lt;/outputRecords&gt; &lt;outputRecordsCommitted&gt;4948262&lt;/outputRecordsCommitted&gt; &lt;outputRecordsFailed&gt;0&lt;/outputRecordsFailed&gt; &lt;reportDate&gt;2017-08-02T10:49:31&lt;/reportDate&gt; &lt;source&gt;CDB&lt;/source&gt; &lt;startTime&gt;2017-08-02T10:08:18.512&lt;/startTime&gt; &lt;/mlcpMetricsModel&gt; </CODE></PRE> Wed, 02 Aug 2017 16:16:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345992#M22535 ddrillic 2017-08-02T16:16:06Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345993#M22536 <P>Try this</P> <PRE><CODE>[yoursourcetype] LINE_BREAKER = ([\r\n]+)(?=\&lt;mlcpMetricsModel ) SHOULD_LINEMERGE = false TIME_PREFIX = \&lt;reportDate\&gt; TIME_FORMAT = %Y-%m-%dT%H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 </CODE></PRE> Wed, 02 Aug 2017 16:21:35 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345993#M22536 somesoni2 2017-08-02T16:21:35Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345994#M22537 <P>@somesoni2, I think <CODE>\&lt;startTime\&gt;</CODE> is a better candidate for TimeStamp. However, @ddrillic must confirm.</P> Wed, 02 Aug 2017 16:56:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345994#M22537 niketn 2017-08-02T16:56:04Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345995#M22538 <P>Thank you both - let me check...</P> Wed, 02 Aug 2017 19:14:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345995#M22538 ddrillic 2017-08-02T19:14:38Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345996#M22539 <P>Gorgeous - thank you !! we ended up extracting the XML fields using a series such as - <CODE>spath mlcpMetricsModel.env</CODE> ...</P> Mon, 07 Aug 2017 15:19:20 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345996#M22539 ddrillic 2017-08-07T15:19:20Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345997#M22540 <P>Now that I'm preparing for the admin certification, I wonder why @somesoni2 set <CODE>MAX_TIMESTAMP_LOOKAHEAD = 19</CODE>, which obviously works but based on the data it appears that the value should be much higher.</P> Wed, 11 Apr 2018 17:29:36 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345997#M22540 ddrillic 2018-04-11T17:29:36Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345998#M22541 <P>The timestamp is extracted from <CODE>&lt;reportDate&gt;</CODE> tag which is <CODE>2017-08-02T10:49:31</CODE> , 19 character long value.</P> Wed, 11 Apr 2018 17:51:57 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345998#M22541 somesoni2 2018-04-11T17:51:57Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345999#M22542 <P>got it ; -) so, if <CODE>TIME_PREFIX</CODE> exists it starts from there, otherwise, from the beginning of the line.</P> Wed, 11 Apr 2018 20:40:38 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/345999#M22542 ddrillic 2018-04-11T20:40:38Z https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/346000#M22543 <P>(thumbs up)</P> <P>Just in case it's still confusing for anyone, it's the length of timestamp string represented by TIME_FORMAT string. (<CODE>%Y-%m-%dT%H:%M:%S =&gt; %Y(4)-(1)%m(2)-(1)%d(2)T(1)%H(2):(1)%M(2):(1)%S(2) =&gt; 4+1+2+1+2+1+2+1+2+1+2 =19</CODE>)</P> Wed, 11 Apr 2018 20:50:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-can-we-index-an-entire-XML-document-as-one-event/m-p/346000#M22543 somesoni2 2018-04-11T20:50:08Z