Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- xml log line breaking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have an xml as below, which is not which not correctly formatted ( whole xml is on one line). I am trying to configure a props.conf file to extract the following xml in the following format.
<listing
<record
</record>
<record
</record>
<record
</record>
</listing>
The props setting looks like below. But i am not able break them to a tree structure as shown above.
Could anyone please help ?
The following props.conf is working well when the xml is put to a xml formatter to format them to a proper xml structure. But otherwise not.
[testing]
BREAK_ONLY_BEFORE = <record
KV_MODE = xml
MUST_BREAK_AFTER = </record>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 1000000
<?xml version="1.0" ?><listing action="Services" count="71"><message message="Listing is displayed" status="success"/> <record AuthDSId="null" AuthFormPostUrl="null" AuthFormType="null" BackupAcquirer="null" TraceExpires="null" UnicastDataQos="-1" WeakCertification="false" genId_="82497"> <list name="DirectClusterAssignments" size="0" type="ClusterConfig"/> <list name="PChannelToClusterAssignments" size="0" type="ClusterConfig"/> <list name="PChannelToDeviceGroupAssignments" size="0" type="DeviceGroup"/> <list name="DeviceGroups" size="1" type="DeviceGroup"> <entry id="DeviceGroup_388"/> </list> <list name="Playlists" size="0" type="Playlist"/><list name="LibraryNodes" size="0" type="LnConfig"/><list name="CachingNodes" size="0" type="CnConfig"/> </record> <record AuthDSId="null" AuthFormPostUrl="null" Fqdn="bpm.test.com" WeakCertification="false" genId_="82899"> <list name="DsvcLocations" size="0" type="DsvcLocation"/> <list name="ChannelMCasts" size="0" type="ChannelMCast"/> </record> <record AuthDSId="null" AuthFormPostUrl="null" Fqdn="mobile.test.com" WeakCertification="True" genId_="82497"> <list name="DsvcLocations" size="0" type="DsvcLocation"/> <list name="ChannelMCasts" size="0" type="ChannelMCast"/> </record></listing>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have finally figured it out used the following props. I was using the props to be used along with "REST API Modular Input" App. There was a bug in the App - line breaker was ignored, which "Damien" has fixed and provided an updated beta 06 version. (now available in splunkbase)
Thanks
Regards
KK
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = >(\s+)<record
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 1000000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have finally figured it out used the following props. I was using the props to be used along with "REST API Modular Input" App. There was a bug in the App - line breaker was ignored, which "Damien" has fixed and provided an updated beta 06 version. (now available in splunkbase)
Thanks
Regards
KK
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = >(\s+)<record
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 1000000
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
