Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML extractions not working in 6

theouhuios
Motivator
‎02-21-2014 07:44 AM

Hello

I did try XML extractions before on 4.3 which used to work fine. But in 6 I seem to have an issue.

Here is my config

BREAK_ONLY_BEFORE =^\<\?xml
SHOULD_LINEMERGE = true
MAX_TIMESTAMP_LOOKAHEAD=200
KV_MODE = xml

And the data looks like 

<?xml version="1.0" encoding="UTF-8" ?>
<ResultSetData>
<Row>
<Column name="DATE_TIME">2/21/2014 9:35:53</Column>
<Column name="HOST_NAME">xxxxx</Column>
<Column name="INSTANCE_NAME">yyyyy</Column>
<Column name="USERNAME">aaaaaa</Column>
<Column name="PROFILE">zzzzz</Column>
<Column name="ACCOUNT_STATUS">ccccc</Column>
</Row>
</ResultSetData>

Line breaking and timestamp looks good but the field extractions doesn't seem to work.Any ideas?

When I use spath that works again

Tags (1)
0 Karma
Reply

theouhuios
Motivator
‎02-24-2014 07:14 AM

Any idea if this can be done?

0 Karma
Reply

aelliott
Motivator
‎02-21-2014 11:19 AM

we have it in the format etc and it works great
In addition, you probably just want to start with the tag right? so you could do break only before ^<ResultSetData etc?

0 Karma
Reply

theouhuios
Motivator
‎02-21-2014 11:25 AM

I did that too . Line Break isn't really a problem here as I am not really particular about it. Looks like I will have to change the format of the XML now. Is there no way for us to make splunk do those extractions in KV_MODE as XML?

0 Karma
Reply

theouhuios
Motivator
‎02-21-2014 10:51 AM

Is it the 2/21/2014 9:35:53 format which is creating an issue? I know that its like 2/21/2014 9:35:53 it wont have any issues. Should I change the format ?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...