Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Problems implementing linebreaker to ingest XM...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aputz
Path Finder
05-18-2011
07:22 AM
I've been trying to utilize the linebreaker to break an xml file into multiple Splunk events. I've tried many different ways. I had looked at this example and I'm still having trouble. Here is the Code I believe should work:
Inputs.conf
#########
[monitor:///opt/reports]
source = TRAFFIC
sourcetype = app_log
index = traffic
props.conf
#########
[source::TRAFFIC]
TIME_PREFIX = \<CreationDate\>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
SHOULD_LINEMERGE = false
LINE_BREAKER = \>\s*(?=\<entry\>)
REPORT-xmlext = xml-extr
Below is an excerpt from the xml file I am trying to ingest.
- <response status="success">
- <report name="Top applications" logtype="appstat" start="2011/05/17 00:29:20" end="2011/05/17 01:29:19" generated-at="2011/05/17 01:29:20">
- <entry>
<risk-of-name>4</risk-of-name>
<name>dns</name>
<nsess>1197</nsess>
<nbytes>336017</nbytes>
<nthreats>0</nthreats>
</entry>
- <entry>
<risk-of-name>4</risk-of-name>
<name>ssl</name>
<nsess>542</nsess>
<nbytes>10747761</nbytes>
<nthreats>0</nthreats>
</entry>
- <entry>
<risk-of-name>4</risk-of-name>
<name>web-browsing</name>
<nsess>341</nsess>
<nbytes>8085374</nbytes>
<nthreats>2</nthreats>
</entry>
Thanks for any help!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
carmackd
Communicator
05-18-2011
11:45 AM
Try this:
[source::TRAFFIC]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \<entry\>
TIME_PREFIX = generated-at\=\"
REPORT-xmlext = xml-extr
I didn't see the <CreationDate\> tag in the example you gave so this transform is assuming the timestamp comes after "generated-at".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
carmackd
Communicator
05-18-2011
11:45 AM
Try this:
[source::TRAFFIC]
BREAK_ONLY_BEFORE_DATE = false
BREAK_ONLY_BEFORE = \<entry\>
TIME_PREFIX = generated-at\=\"
REPORT-xmlext = xml-extr
I didn't see the <CreationDate\> tag in the example you gave so this transform is assuming the timestamp comes after "generated-at".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aputz
Path Finder
05-18-2011
12:07 PM
Yes, that solved the issue. Thanks for getting me over that hurdle!
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
