Dashboards & Visualizations

XML multi-value help

New Member

I am new to Splunk and have been reading as much as I can, but I cannot figure this out. Trying to wrap my head around regex. I have some xml data as below. Splunk only identifies the first values of bi, o, pb, pool, amt, mode. I need to work with each of these. Would you please help me make these multi-valued? Thank you.


Board 3 Msg # 90962 19-JAN-2013 12:45:34.51 msg length = 871






















~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sorry for the delayed response. Thank you both for trying to help, it is greatly appreciated. There are more issues with my data than I thought. I was working with a friend who has more experience with Splunk and he helped me get a decent start. Unfortunately, now I have issues with line breaking. I am trying to index the above type messages from a txt file. In the txt file it it looks like.

Board 3 stuff

XML stuff

Board 3 stuff

XML stuff

Where each event is within one line separated by the "Board 3..." stuff. He helped me over come this using the following props.conf:

[horsexml]
#TIMEPREFIX = Board\s\d+\s+\w+\s#\s+\d+\s+
#TIME
FORMAT = %d-%b-%Y %H:%M:%S.%2N
LINEBREAKER = (Board[\s\d\w#-:=\]+)|(\x3)
SHOULD
LINEMERGE = false
KV_MODE = xml
#REPORT-xmlext = xml-extr

Unfortunately, there exist "returns" within each line begun with after 133 characters. So instead of one straight line of xml code Splunk sees something like this





Board 3 Msg # 24830 19-JAN-2013 08:47:01.13 msg length = 855



SesDate="2013-01-19" RaceDate="2013-01-19" PTyp=" $" />
turfC="YIELDING" typ="A" Total="0.00">
o=" 30" pb="35.40" />
bi="7" o=" 5" pb="6.50" />

l pool="TRI" amt="937.58" mode="N" />
ol="SPR" amt="800.76" mode="N" />



Board 3 Msg # 24944 19-JAN-2013 08:47:36.09 msg length = 855



SesDate="2013-01-19" RaceDate="2013-01-19" PTyp=" $" />
turfC="YIELDING" typ="A" Total="0.00">
o=" 30" pb="35.50" />
bi="7" o=" 5" pb="6.40" />

l pool="TRI" amt="949.05" mode="N" />
ol="SPR" amt="808.82" mode="N" />

Please note the truncation of "total" and "pool" near the end of these examples down to "tota" and "po". So this results in Splunk producing a few incorrect fields. For example:

msg.WOdata.feature.tota{@l}{@pool}
which should be
msg.WO
data.feature.total{@pool}

and

msg.WOdata.feature.total{@po}{@ol}
which should be
msg.WO
data.feature.total{@pool}

I thought adding adding a SHOULD_LINEMERGE=true should work but I have not figured it out. It either merges everything into one event, or when I prevent that it does not merge these lines to prevent the truncation.

I also tried adding a TRUNCATE option, but Splunk is not the one truncating so thats not the issue. Any thoughts? Thanks again for your effort and help.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Try using spath or setting the KV_MODE=xml for your sourcetype which will parse your xml for you.

0 Karma

SplunkTrust
SplunkTrust

This'll give you multi-value fields:

...  | spath output=bi path=msg.wo_data.oddsdata.entry{@bi} | spath output=o path=msg.wo_data.oddsdata.entry{@o} | spath output=pb path=msg.wo_data.oddsdata.entry{@pb} | spath output=pool path=msg.wo_data.feature.total{@pool} | spath output=amt path=msg.wo_data.feature.total{@amt} | spath output=mode path=msg.wo_data.feature.total{@mode}
0 Karma