I have a case where log file include an straight text header in front of well form xml.
Here is an exmple:
2017-09-05T13:14:02.869Z, ap=695449, xml="well formed xml"
The Bold is the straight text in front of the XML.
Is it possible to use xmlutils to xml pretty print just a single field? Perhaps as a function? 
One problem is exporting data, but keeping the time stamp and ap field.
I have been trying to work around this by incorporating the time stamp into a larger xml piece and am near to having that working, but I come up with data that web xml validators like, but that still blow up pretty print.
Doing the xml print on just a field is likely the best solution, if someone can help.
Using Splunk 6.5. xmlutils seems to have installed and be working okay.
It does just pretty print one field, either the field "xml" or the field "_raw", in that order.
So, if you did something like:
query... | table _time ap xml | xmlprettyprint
The field xml would be pretty printed.
Unfortunately, you can't see it in a table in Splunk, because all white space is collapsed in a table view. You'd need to put the table on a dashboard and add some css to preserve the whitespace. The whitespace should survive in an export, though.
It does just pretty print one field, either the field "xml" or the field "_raw", in that order.
So, if you did something like:
query... | table _time ap xml | xmlprettyprint
The field xml would be pretty printed.
Unfortunately, you can't see it in a table in Splunk, because all white space is collapsed in a table view. You'd need to put the table on a dashboard and add some css to preserve the whitespace. The whitespace should survive in an export, though.
Thanks much! I am in process of trying this. I have a similar case with some JSONs. I also was able to get pretty printing via using fairly ugly sedcmds to turn the whole log into a single XML expression.
