Hi together,
I'am trying to get some XML input into Splunk, but everytime the first character ("<") is missing. Due to this, Splunk cannot read XML correctly: (on two different sources)
from example-source: www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml
this input: <xml version="1.0" encoding="UTF-8"?><gesmes:Envel... is getting this: xml version="1.0" encoding="UTF-8"?><gesmes:Envel...
Is there anyone who knows why the first character is missing?
Best regard Steffen
The display issue appears to be corrected in 6.0.1.
This is a display issue, when you display with source=myxmlsource | table _raw, the "<" is present.
source=myxmlsource | table _raw
by the way the xml starts with <?xml not <xml
<?xml
<xml
when I test with <xml version="1.0" encoding="UTF-8">, the event are correctly displayed.
<xml version="1.0" encoding="UTF-8">
Hmmm if I pipe my sources to spath and then pipe that to xmlkv, I get the results I expect.
I'm having exactly the same issue. My props.conf:
[host::rabbitmq]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = \<\?xml\sversion
\<\?xml\sversion
Is there a solution available for this issue ?
Thanks,
Thorsten
How did your ticket go? Should I send my colleague - who has access support - to open a Splunk ticket as well?
just checked this with Splunk 5.0.5 and it's working. Seems like an Splunk 6.0 bug. I'll open a Splunk ticket.
