I know this topic has been addressed many times on here but I cannot get my xml events to break properly. I am retrieving Cisco Prime devices via REST API xml call. Designating the TA_cisco_ios addon as the App in REST, I just cannot get it broken into individual events. Splunk just shows 1 event as seen attached xml-file.
My props.conf under TA_cisco_ios looks like:
[cisco:ios]
BREAK_ONLY_BEFORE=
TRUNCATE=500000
My REST setup looks like this:
REST API Input: Cisco Prime Device Status
Endpoint URL: https://172.x.x.85/webacs/api/v3/data/Devices.xml?.full=true
Authentication Type: basic
Sourcetype: cisco:ios
App: TA-cisco_ios
Status: Enabled
Thanks in advance! This is driving me crazy!
I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.
Add something like this to rest_ta/bin/responsehandlers.py
(example only , tweak as need be) :
class XMLResponseHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
from xml.etree import ElementTree
e = ElementTree.fromstring(raw_response_output)
for entity in e.findall('entity'):
print_xml_stream(ElementTree.tostring(entity).decode())
And then declare it to be applied to your input :
I use custom response handlers in the REST setup for pre processing , and in this case , event splitting.
Add something like this to rest_ta/bin/responsehandlers.py
(example only , tweak as need be) :
class XMLResponseHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint):
from xml.etree import ElementTree
e = ElementTree.fromstring(raw_response_output)
for entity in e.findall('entity'):
print_xml_stream(ElementTree.tostring(entity).decode())
And then declare it to be applied to your input :
Thanks Damien....using your sample and some luck, I created a PrimeHandler and at least have broken out the individual events now but the fields were not being extracted. I put "KV_MODE = xml" in the sourcetype on the SH and at least I see the long field names now. May have to look at field extractions for that. Thanks for the help!
the props.conf is not posting properly but below attributes are using entity as break
BREAK_ONLY_BEFORE
MUST_BREAK_AFTER