How to Parse the XML data as row format in splunk

nkchaitanya · ‎12-05-2015

In the process of Parsing the xml data in splunk .

I have an xml data

<outer>
  <Global>
  <id>idone</id>
  <name>nameone</name>
  <designation>designationOne</designation>
  <company>companyOne</company> 
  </Global>
  <Global>
   <id>idtwo</id>
   <name>nametwo</name>
   <designation>designationtwo</designation>
   <company>companytwo</company>
   </Global>
</outer>

The output should be in row format:

idone  nameone designationOne  companyOne
idtwo  nametwo designationtwo  companytwo

I have applied:

LINE_BREAKER = (<Global>)
MUST_BREAK_AFTER = \</Global\>

in props.conf, but it didn't work.

Please suggest me the correct configuration to be entered in props.conf to get my required output.

Thanks in advance

sundareshr · ‎12-07-2015

Try this

props.conf

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <Global>
NO_BINARY_CHECK = true
SEDCMD-discardroot = s/(<outer>)//g s/(<\/outer>)//g
disabled = false
pulldown_type = true
REPORT-xmlfields = xmlextract-xmlfields

transforms.conf

[xmlextract-xmlfields]
REGEX = <(\w+)>(\w+)
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true

Both files should be in system\local folder

The following command should return results in the format you expect.

... | table id, name, designation, company

hortonew · ‎12-05-2015

Have you tried just using the following for your search time field extraction?

KV_MODE=xml

nkchaitanya · ‎12-06-2015

yes, I have to put the following fields in props.conf

DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = ()
MUST_BREAK_AFTER = \
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 0
pulldown_type = 1

How to Parse the XML data as row format in splunk

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023