https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130300#M7688 <P>Hi,</P> <P>Here in this answer you have mentioned "^...the search term is at the beginning of the line".<BR /> Is it really necessary to have that field in the start.</P> <P>In my case it's without any spaces or new line.</P> <P>`&lt; ?xml version="1.0" encoding="UTF-8"?&gt;&lt; Content&gt;&lt; Admin&gt;&lt; Disregard_1&gt;[]&lt; /Disregard_1&gt;&lt; Date_and_time&gt;Mon Jan 13 22:44:53 MET 2014&lt; /Date_and_time&gt;&lt; Domain&gt;01&lt; /Domain&gt;&lt; Disregard_4&gt;18512&lt; /Disregard_4&gt;&lt; Machine_name&gt;Server1&lt; /Machine_name&gt;&lt; Usecase&gt;12&lt; /Usecase&gt;<BR /> &lt; /Admin&gt;&lt; Order&gt;&lt; Disregard_1&gt;[---]&lt; /Disregard_1&gt;&lt; Date_and_time&gt;Wed Jan 15 11:19:25 MET 2014&lt; /Date_and_time&gt;&lt; Domain&gt;02&lt; /Domain&gt;&lt; Machine_name&gt;Server2&lt; /Machine_name&gt;&lt; Usecase&gt;06&lt; /Usecase&gt;&lt; Actor&gt;&lt; Type_of_actor&gt;USER&lt; /Type_of_actor&gt;&lt; /Actor&gt;&lt; /Order&gt;&lt; Order&gt;&lt; Disregard_1&gt;[---]&lt; /Disregard_1&lt; Date_and_time&gt;Thu Jan 16 12:18:03 MET 2014&lt; /Date_and_time&gt;&lt; Domain&gt;02&lt; /Domain&gt;&lt; Machine_name&gt;Server2&lt; /Machine_name&gt;&lt; Usecase&gt;06&lt; /Usecase&gt;&lt; /Order&gt;&lt; Alerting&gt;&lt; Disregard_1&gt;ab&lt; /Disregard_1&gt;&lt; Date_and_time&gt;Tue Jan 14 09:56:37 MET 2014&lt; /Date_and_time&gt;&lt; Machine_name&gt;Server3&lt; /Machine_name&gt;&lt; Usecase&gt;01&lt; /Usecase&gt;&lt; /Alerting&gt;&lt; /Content&gt;</P> <P>So will it work?</P> Tue, 29 Sep 2020 20:46:59 GMT nasrinmulani 2020-09-29T20:46:59Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130295#M7683 <P>I have an XML file with multiple tags I want to break on. Not all tags should cause a break, but only a subset.<BR /> E.g. <BR /> &lt; Security&gt; ... &lt; /Security&gt; should be an event<BR /> &lt; Admin&gt; ... &lt; /Admin&gt; should be another event<BR /> &lt; Order&gt; ... &lt; /Order&gt; should be another event</P> <P>I tried to break on a regex, but it did not work:<BR /> "&lt; Security&gt;" | "&lt; Admin&gt;" | "&lt; Order&gt;" | "&lt; Payment&gt;"</P> <P>A bonus would be if the header was disregarded/not listed.</P> Thu, 18 Sep 2014 13:20:08 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130295#M7683 ulrich_track 2014-09-18T13:20:08Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130296#M7684 <P>Can you put your props and transforms configuration? Where are you placing your regex?</P> Thu, 18 Sep 2014 15:38:50 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130296#M7684 alacercogitatus 2014-09-18T15:38:50Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130297#M7685 <P>I am putting the regex in Add data » Files &amp; directories » Data preview in the field Specify a pattern or regex to break before ex: \d+foo\d[2,4], Start Of Event, ^***</P> <P>the props and transforms are untouched, yet.</P> Fri, 19 Sep 2014 08:05:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130297#M7685 ulrich_track 2014-09-19T08:05:25Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130298#M7686 <P>Here is a typical sample of this file (with adapted XML-Tags<BR /> &lt; ?xml version="1.0" encoding="UTF-8"?&gt;<BR /> &lt; Content&gt;<BR /> &lt; Admin&gt;<BR /> &lt; Disregard_1&gt;[]&lt; /Disregard_1&gt;<BR /> &lt; Date_and_time&gt;Mon Jan 13 22:44:53 MET 2014&lt; /Date_and_time&gt;<BR /> &lt; Domain&gt;01&lt; /Domain&gt;<BR /> &lt; Disregard_4&gt;18512&lt; /Disregard_4&gt;<BR /> &lt; Machine_name&gt;Server1&lt; /Machine_name&gt;<BR /> &lt; Usecase&gt;12&lt; /Usecase&gt;<BR /> &lt; /Admin&gt;<BR /> &#12;&lt; Order&gt;<BR /> &lt; Disregard_1&gt;[---]&lt; /Disregard_1&gt;<BR /> &lt; Date_and_time&gt;Wed Jan 15 11:19:25 MET 2014&lt; /Date_and_time&gt;<BR /> &lt; Domain&gt;02&lt; /Domain&gt;<BR /> &lt; Machine_name&gt;Server2&lt; /Machine_name&gt;<BR /> &lt; Usecase&gt;06&lt; /Usecase&gt;<BR /> &lt; Actor&gt;<BR /> &lt; Type_of_actor&gt;USER&lt; /Type_of_actor&gt;<BR /> &lt; /Actor&gt;<BR /> &lt; /Order&gt;<BR /> &lt; Order&gt;<BR /> &lt; Disregard_1&gt;[---]&lt; /Disregard_1&gt;<BR /> &lt; Date_and_time&gt;Thu Jan 16 12:18:03 MET 2014&lt; /Date_and_time&gt;<BR /> &lt; Domain&gt;02&lt; /Domain&gt;<BR /> &lt; Machine_name&gt;Server2&lt; /Machine_name&gt;<BR /> &lt; Usecase&gt;06&lt; /Usecase&gt;<BR /> &lt; /Order&gt;<BR /> &lt; Alerting&gt;<BR /> &lt; Disregard_1&gt;ab&lt; /Disregard_1&gt;<BR /> &lt; Date_and_time&gt;Tue Jan 14 09:56:37 MET 2014&lt; /Date_and_time&gt;<BR /> &lt; Machine_name&gt;Server3&lt; /Machine_name&gt;<BR /> &lt; Usecase&gt;01&lt; /Usecase&gt;<BR /> &lt; /Alerting&gt;<BR /> &lt; /Content&gt;</P> Mon, 28 Sep 2020 17:37:48 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130298#M7686 ulrich_track 2020-09-28T17:37:48Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130299#M7687 <P>I found it:<BR /> You have to enter this string in the Regex-field of Data preview (please remove the blanks after the &lt; sign, I added them only because otherwise this forum would not accept it)</P> <P>(?m)^(&lt; Admin&gt;)|(&lt; Order&gt;)|(&lt; Security&gt;)|(&lt; Payment&gt;)</P> <P>It says: <BR /> (?m) ...go for multiline and do not stop at the first event you find<BR /> ^...the search term is at the beginning of the line<BR /> ()...a grouped search term<BR /> &lt; Admin&gt;...(e.g.) search the exact phrase, case-sensitive</P> <P>|...logical OR statement</P> <P>or directly in the props.conf file:<BR /> [<EM>NameOfTheSourcetype</EM>]<BR /> BREAK_ONLY_BEFORE = (?m)^(&lt; Admin&gt;)|(&lt; Order&gt;)|(&lt; Security&gt;)|(&lt; Payment&gt;)<BR /> NO_BINARY_CHECK = 1<BR /> TIME_PREFIX = &lt; Date_and_time&gt;<BR /> pulldown_type = 1</P> <P>The TIME_PREFIX was added by me, because my timestamp was tagged this way. You can leave it out, because your files will probably be tagged differently.</P> Mon, 28 Sep 2020 17:42:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130299#M7687 ulrich_track 2020-09-28T17:42:56Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130300#M7688 <P>Hi,</P> <P>Here in this answer you have mentioned "^...the search term is at the beginning of the line".<BR /> Is it really necessary to have that field in the start.</P> <P>In my case it's without any spaces or new line.</P> <P>`&lt; ?xml version="1.0" encoding="UTF-8"?&gt;&lt; Content&gt;&lt; Admin&gt;&lt; Disregard_1&gt;[]&lt; /Disregard_1&gt;&lt; Date_and_time&gt;Mon Jan 13 22:44:53 MET 2014&lt; /Date_and_time&gt;&lt; Domain&gt;01&lt; /Domain&gt;&lt; Disregard_4&gt;18512&lt; /Disregard_4&gt;&lt; Machine_name&gt;Server1&lt; /Machine_name&gt;&lt; Usecase&gt;12&lt; /Usecase&gt;<BR /> &lt; /Admin&gt;&lt; Order&gt;&lt; Disregard_1&gt;[---]&lt; /Disregard_1&gt;&lt; Date_and_time&gt;Wed Jan 15 11:19:25 MET 2014&lt; /Date_and_time&gt;&lt; Domain&gt;02&lt; /Domain&gt;&lt; Machine_name&gt;Server2&lt; /Machine_name&gt;&lt; Usecase&gt;06&lt; /Usecase&gt;&lt; Actor&gt;&lt; Type_of_actor&gt;USER&lt; /Type_of_actor&gt;&lt; /Actor&gt;&lt; /Order&gt;&lt; Order&gt;&lt; Disregard_1&gt;[---]&lt; /Disregard_1&lt; Date_and_time&gt;Thu Jan 16 12:18:03 MET 2014&lt; /Date_and_time&gt;&lt; Domain&gt;02&lt; /Domain&gt;&lt; Machine_name&gt;Server2&lt; /Machine_name&gt;&lt; Usecase&gt;06&lt; /Usecase&gt;&lt; /Order&gt;&lt; Alerting&gt;&lt; Disregard_1&gt;ab&lt; /Disregard_1&gt;&lt; Date_and_time&gt;Tue Jan 14 09:56:37 MET 2014&lt; /Date_and_time&gt;&lt; Machine_name&gt;Server3&lt; /Machine_name&gt;&lt; Usecase&gt;01&lt; /Usecase&gt;&lt; /Alerting&gt;&lt; /Content&gt;</P> <P>So will it work?</P> Tue, 29 Sep 2020 20:46:59 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130300#M7688 nasrinmulani 2020-09-29T20:46:59Z https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130301#M7689 <P>@nasrinmulani This thread is nearly 4 years old with an accepted answer so you're unlikely to get many responses. I suggest you post a new question describing your problem. Reference this answer if you wish.</P> Thu, 02 Aug 2018 13:56:52 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Event-breaks-in-an-XML-file-on-multiple-tags/m-p/130301#M7689 richgalloway 2018-08-02T13:56:52Z