Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Problems implementing linebreaker to ingest XML
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aputz
Path Finder
05-18-2011
07:22 AM
I've been trying to utilize the linebreaker to break an xml file into multiple Splunk events. I've tried many different ways. I had looked at this example and I'm still having trouble. Here is the Code I believe should work:
Inputs.conf
#########
[monitor:///opt/reports]
source = TRAFFIC
sourcetype = app_log
index = traffic
props.conf
#########
[source::TRAFFIC]
TIME_PREFIX = \<CreationDate\>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
SHOULD_LINEMERGE = false
LINE_BREAKER = \>\s*(?=\<entry\>)
REPORT-xmlext = xml-extr
Below is an excerpt from the xml file I am trying to ingest.
- <response status="success">
- <report name="Top applications" logtype="appstat" start="2011/05/17 00:29:20" end="2011/05/17 01:29:19" generated-at="2011/05/17 01:29:20">
- <entry>
<risk-of-name>4</risk-of-name>
<name>dns</name>
<nsess>1197</nsess>
<nbytes>336017</nbytes>
<nthreats>0</nthreats>
</entry>
- <entry>
<risk-of-name>4</risk-of-name>
<name>ssl</name>
<nsess>542</nsess>
<nbytes>10747761</nbytes>
<nthreats>0</nthreats>
</entry>
- <entry>
<risk-of-name>4</risk-of-name>
<name>web-browsing</name>
<nsess>341</nsess>
<nbytes>8085374</nbytes>
<nthreats>2</nthreats>
</entry>
Thanks for any help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
carmackd
Communicator
05-18-2011
11:45 AM
Try this:
[source::TRAFFIC]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \<entry\>
TIME_PREFIX = generated-at\=\"
REPORT-xmlext = xml-extr
I didn't see the <CreationDate\> tag in the example you gave so this transform is assuming the timestamp comes after "generated-at".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
carmackd
Communicator
05-18-2011
11:45 AM
Try this:
[source::TRAFFIC]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \<entry\>
TIME_PREFIX = generated-at\=\"
REPORT-xmlext = xml-extr
I didn't see the <CreationDate\> tag in the example you gave so this transform is assuming the timestamp comes after "generated-at".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aputz
Path Finder
05-18-2011
12:07 PM
Yes, that solved the issue. Thanks for getting me over that hurdle!
Get Updates on the Splunk Community!
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
