Dashboards & Visualizations

How to Parse the XML data as row format in splunk

nkchaitanya
Explorer

In the process of Parsing the xml data in splunk .

I have an xml data

<outer>
  <Global>
  <id>idone</id>
  <name>nameone</name>
  <designation>designationOne</designation>
  <company>companyOne</company> 
  </Global>
  <Global>
   <id>idtwo</id>
   <name>nametwo</name>
   <designation>designationtwo</designation>
   <company>companytwo</company>
   </Global>
</outer>

The output should be in row format:

idone  nameone designationOne  companyOne
idtwo  nametwo designationtwo  companytwo

I have applied:

LINE_BREAKER = (<Global>)
MUST_BREAK_AFTER = \</Global\>

in props.conf, but it didn't work.

Please suggest me the correct configuration to be entered in props.conf to get my required output.

Thanks in advance

0 Karma

sundareshr
Legend

Try this

props.conf

SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = <Global>
NO_BINARY_CHECK = true
SEDCMD-discardroot = s/(<outer>)//g s/(<\/outer>)//g
disabled = false
pulldown_type = true
REPORT-xmlfields = xmlextract-xmlfields

transforms.conf

[xmlextract-xmlfields]
REGEX = <(\w+)>(\w+)
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true

Both files should be in system\local folder

The following command should return results in the format you expect.

... | table id, name, designation, company
0 Karma

hortonew
Builder

Have you tried just using the following for your search time field extraction?

KV_MODE=xml
0 Karma

nkchaitanya
Explorer

yes, I have to put the following fields in props.conf

DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = ()
MUST_BREAK_AFTER = \
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 0
pulldown_type = 1
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...