Solved: XML Extraction

jedatt01 · ‎04-29-2014

I have a datasource that reads in events in XML format. Could someone please help me build a props.conf that will extract all fields and show the events in treeview. Sample event below

Mon Apr 28 16:45:57 EDT 2014 name="TOPIC_msg_received" event_id="ID:404040" msg_dest="SplunkTopic" msg_body="<?xml version="1.0" encoding="utf-8"?><ELLogInputLayout xmlns="http://www.test.com/1"><ELLogInputMessage>    <Header>      <LogEventTypeCode>ERROR</LogEventTypeCode>      <LogSeverityCode>CRITICAL</LogSeverityCode>      <LogEventDateTime>9999-12-31T23:59:59.9999999-05:00</LogEventDateTime>    </Header>    <SourceInformation>      <EAPMId>2</EAPMId>      <HostMachineName>HostMachineName3</HostMachineName>      <HostEnvironmentName>HostEnvironmentName3</HostEnvironmentName>      <ComponentId>ComponentId3</ComponentId>      <ComponentName>ComponentName3</ComponentName>      <ApplicationEventCorrelationId>ApplicationEventCorrelationId3</ApplicationEventCorrelationId>      <UserId>UserId3</UserId>      <UserSrc>UserSrc3</UserSrc>      <BusinessDomainId>BusinessDomainId3</BusinessDomainId>      <BusinessDomainName>BusinessDomainName3</BusinessDomainName>    </SourceInformation>    <ErrorInformation>      <ErrorCode>ErrorCode3</ErrorCode>      <ErrorDescription>ErrorDescription3</ErrorDescription><DetailedErrorInformation>DetailedErrorInformation3</DetailedErrorInformation>    </ErrorInformation>    <DetailedLogInformation>anyType</DetailedLogInformation>   </ELLogInputMessage></ELLogInputLayout>"

somesoni2 · ‎04-29-2014

Try this.

props.conf

[yourSourceType]
NO_BINARY_CHECK = 1
TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
pulldown_type = 1
REPORT-xmlkv = xmlkv-alternative

transforms.conf

[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2

View solution in original post

landen99 · ‎10-05-2016

I like this solution using transforms.conf

[views_std]
MV_ADD = 1
REGEX = \<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*)\<
FORMAT = $1::$2
CLEAN_KEYS = true

[views_param]
MV_ADD = 1
REGEX = \<(\w+ [^\n\/\>]+)\/?\>
FORMAT = param::$1
CLEAN_KEYS = true

[views_option]
MV_ADD = 1
SOURCE_KEY = param
REGEX = (\w+(?: \w+)*)="(?!host|source|sourcetype|index|splunk_server)(\w+)"
FORMAT = $1::$2
CLEAN_KEYS = true

somesoni2 · ‎04-29-2014

Try this.

props.conf

[yourSourceType]
NO_BINARY_CHECK = 1
TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
pulldown_type = 1
REPORT-xmlkv = xmlkv-alternative

transforms.conf

[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2

poddraj · ‎11-25-2019

Hi,

I have a .log file which has mix of system logs and in between request & response XMLs of actual transactions going within my application. I only want those XML transactions only to be shown in splunk and do not want to see the other logging information. Is there a way to achieve this?

jedatt01 · ‎05-06-2014

when you have an input that is true json or xml you can have the view of the events in a tree structure where you hit the + sign to see nested information.

rahulroy_splunk · ‎04-29-2014

Could you be more specific what you mean by pull down view?

jedatt01 · ‎04-29-2014

That extracted all the fields, thanks! Wish there was a way to get a pull down view but this will do the trick if that's not possible.

gfuente · ‎04-29-2014

Hello

Have your tried KV_MODE = XML in props.conf ??

From docs:

KV_MODE = [none|auto|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
        * none: if you want no field/value extraction to take place.
        * auto: extracts field/value pairs separated by equal signs.
        * multi: invokes the multikv search command to expand a tabular event into multiple events.
    * xml : automatically extracts fields from XML data.
    * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not overridden by
  automatic field/value extraction for a particular host, source, or source type, and also
  increases search performance.
* Defaults to auto.
* The 'xml' and 'json' modes will not extract any fields when used on data that isn't of the correct format (JSON or XML).

jedatt01 · ‎04-29-2014

Yes, I tried using KV_MODE = XML but it is not picking up. Is the only way to do individual field extraction?

somesoni2 · ‎04-29-2014

This may not work as the event is not pure xml (its a combination of key value pair with embedded xml). You might have to extract all xml fields using field extractor.

XML Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation