Dashboards & Visualizations

Problems implementing linebreaker to ingest XML

aputz
Path Finder

I've been trying to utilize the linebreaker to break an xml file into multiple Splunk events. I've tried many different ways. I had looked at this example and I'm still having trouble. Here is the Code I believe should work:

Inputs.conf

#########
[monitor:///opt/reports]
source = TRAFFIC
sourcetype = app_log
index = traffic

props.conf

#########
[source::TRAFFIC]
TIME_PREFIX = \<CreationDate\>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
SHOULD_LINEMERGE = false
LINE_BREAKER = \>\s*(?=\<entry\>)
REPORT-xmlext = xml-extr

Below is an excerpt from the xml file I am trying to ingest.

- <response status="success">
- <report name="Top applications" logtype="appstat" start="2011/05/17 00:29:20" end="2011/05/17 01:29:19" generated-at="2011/05/17 01:29:20">
- <entry>
  <risk-of-name>4</risk-of-name> 
  <name>dns</name> 
  <nsess>1197</nsess> 
  <nbytes>336017</nbytes> 
  <nthreats>0</nthreats> 
  </entry>
- <entry>
  <risk-of-name>4</risk-of-name> 
  <name>ssl</name> 
  <nsess>542</nsess> 
  <nbytes>10747761</nbytes> 
  <nthreats>0</nthreats> 
  </entry>
- <entry>
  <risk-of-name>4</risk-of-name> 
  <name>web-browsing</name> 
  <nsess>341</nsess> 
  <nbytes>8085374</nbytes> 
  <nthreats>2</nthreats> 
  </entry>

Thanks for any help!

Tags (2)
1 Solution

carmackd
Communicator

Try this:

[source::TRAFFIC]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \<entry\>
TIME_PREFIX = generated-at\=\"
REPORT-xmlext = xml-extr

I didn't see the <CreationDate\> tag in the example you gave so this transform is assuming the timestamp comes after "generated-at".

View solution in original post

0 Karma

carmackd
Communicator

Try this:

[source::TRAFFIC]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \<entry\>
TIME_PREFIX = generated-at\=\"
REPORT-xmlext = xml-extr

I didn't see the <CreationDate\> tag in the example you gave so this transform is assuming the timestamp comes after "generated-at".

0 Karma

aputz
Path Finder

Yes, that solved the issue. Thanks for getting me over that hurdle!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...