Dashboards & Visualizations
Highlighted

Event breaks in an XML-file on multiple tags

Path Finder

I have an XML file with multiple tags I want to break on. Not all tags should cause a break, but only a subset.
E.g.
< Security> ... < /Security> should be an event
< Admin> ... < /Admin> should be another event
< Order> ... < /Order> should be another event

I tried to break on a regex, but it did not work:
"< Security>" | "< Admin>" | "< Order>" | "< Payment>"

A bonus would be if the header was disregarded/not listed.

0 Karma
Highlighted

Re: Event breaks in an XML-file on multiple tags

SplunkTrust
SplunkTrust

Can you put your props and transforms configuration? Where are you placing your regex?

0 Karma
Highlighted

Re: Event breaks in an XML-file on multiple tags

Path Finder

I am putting the regex in Add data » Files & directories » Data preview in the field Specify a pattern or regex to break before ex: \d+foo\d[2,4], Start Of Event, ^***

the props and transforms are untouched, yet.

0 Karma
Highlighted

Re: Event breaks in an XML-file on multiple tags

Path Finder

Here is a typical sample of this file (with adapted XML-Tags
< ?xml version="1.0" encoding="UTF-8"?>
< Content>
< Admin>
< Disregard1>[]< /Disregard1>
< Dateandtime>Mon Jan 13 22:44:53 MET 2014< /Dateandtime>
< Domain>01< /Domain>
< Disregard4>18512< /Disregard4>
< Machinename>Server1< /Machinename>
< Usecase>12< /Usecase>
< /Admin>
< Order>
< Disregard1>[---]< /Disregard1>
< Dateandtime>Wed Jan 15 11:19:25 MET 2014< /Dateandtime>
< Domain>02< /Domain>
< Machinename>Server2< /Machinename>
< Usecase>06< /Usecase>
< Actor>
< Typeofactor>USER< /Typeofactor>
< /Actor>
< /Order>
< Order>
< Disregard1>[---]< /Disregard1>
< Dateandtime>Thu Jan 16 12:18:03 MET 2014< /Dateandtime>
< Domain>02< /Domain>
< Machinename>Server2< /Machinename>
< Usecase>06< /Usecase>
< /Order>
< Alerting>
< Disregard1>ab< /Disregard1>
< Dateandtime>Tue Jan 14 09:56:37 MET 2014< /Dateandtime>
< Machinename>Server3< /Machinename>
< Usecase>01< /Usecase>
< /Alerting>
< /Content>

0 Karma
Highlighted

Re: Event breaks in an XML-file on multiple tags

Path Finder

I found it:
You have to enter this string in the Regex-field of Data preview (please remove the blanks after the < sign, I added them only because otherwise this forum would not accept it)

(?m)^(< Admin>)|(< Order>)|(< Security>)|(< Payment>)

It says:
(?m) ...go for multiline and do not stop at the first event you find
^...the search term is at the beginning of the line
()...a grouped search term
< Admin>...(e.g.) search the exact phrase, case-sensitive

|...logical OR statement

or directly in the props.conf file:
[NameOfTheSourcetype]
BREAKONLYBEFORE = (?m)^(< Admin>)|(< Order>)|(< Security>)|(< Payment>)
NOBINARYCHECK = 1
TIMEPREFIX = < Dateandtime>
pulldown
type = 1

The TIME_PREFIX was added by me, because my timestamp was tagged this way. You can leave it out, because your files will probably be tagged differently.

View solution in original post

Highlighted

Re: Event breaks in an XML-file on multiple tags

New Member

Hi,

Here in this answer you have mentioned "^...the search term is at the beginning of the line".
Is it really necessary to have that field in the start.

In my case it's without any spaces or new line.

`< ?xml version="1.0" encoding="UTF-8"?>< Content>< Admin>< Disregard1>[]< /Disregard1>< Dateandtime>Mon Jan 13 22:44:53 MET 2014< /Dateandtime>< Domain>01< /Domain>< Disregard4>18512< /Disregard4>< Machinename>Server1< /Machinename>< Usecase>12< /Usecase>
< /Admin>< Order>< Disregard1>[---]< /Disregard1>< Dateandtime>Wed Jan 15 11:19:25 MET 2014< /Dateandtime>< Domain>02< /Domain>< Machinename>Server2< /Machinename>< Usecase>06< /Usecase>< Actor>< Typeofactor>USER< /Typeofactor>< /Actor>< /Order>< Order>< Disregard1>[---]< /Disregard1< Dateandtime>Thu Jan 16 12:18:03 MET 2014< /Dateandtime>< Domain>02< /Domain>< Machinename>Server2< /Machinename>< Usecase>06< /Usecase>< /Order>< Alerting>< Disregard1>ab< /Disregard1>< Dateandtime>Tue Jan 14 09:56:37 MET 2014< /Dateandtime>< Machinename>Server3< /Machinename>< Usecase>01< /Usecase>< /Alerting>< /Content>

So will it work?

0 Karma
Highlighted

Re: Event breaks in an XML-file on multiple tags

SplunkTrust
SplunkTrust

@nasrinmulani This thread is nearly 4 years old with an accepted answer so you're unlikely to get many responses. I suggest you post a new question describing your problem. Reference this answer if you wish.

---
If this reply helps you, an upvote would be appreciated.
0 Karma