I'm very new to splunk, and am trying to find pointers on how to index xunit files (generated from some nose unit tests). A typical xunit file looks like this
<?xml version="1.0" encoding="UTF-8"?>
Traceback (most recent call last):
TypeError: oops, wrong type
How would I go about indexing those files?
First, Splunk needs to know very little about a file in order to index it or search it. Basically, if you can point Splunk at the file and the file isn't binary, you are on your way.
That said, there are 6 key things that you must configure correctly:
Most of these are easy, and Splunk usually figures them it all by itself. Source = name of file for your input. Simple. Line-breaking and timestamp extraction are usually defined as part of the sourcetype. If you have a common sourcetype (see the list of pretrained sourcetypes), Splunk can even figure out the sourcetype for you.
For an XML file though, usually Splunk will need your help. One way to do this is with the Data Preview feature, which is described here
Usually, you will need to define a sourcetype for your input, unless one of the pretrained sourcetypes works for you. Just think up a name and assign in to the input - maybe
xunit. More info here, with links to details on setting the line-breaking and timestamp characteristics for your sourcetype.
Finally, here are a few other questions about XML files on the forum: