Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dumping XML logs

20065945
Explorer
‎07-22-2014 10:32 PM

I want to dump the following XML log file keeping in mind the fact that it should give all the tags as a fields such that I could search the events where

Text="Application: Directory started" Category="BIG" Module="WorkflowHost"

What should I write in props.conf


b476f836-36dd-4c30-9a8e-0587c5d34b8d
2014-01-09 10:45:31.69
Application: Directory started
BIG
Workflow
Event
General
WorkflowHost


0
5420
e2ac3262e9b9d03f



b476f836-36dd-4c30-9a8e-0587c5d34b8d
2014-01-09 10:45:41.57
Application: PatientDirectory started
BIG
PatientDirectory
Event
General
PatientDirectory


0
2180
e2ac3262e9b9d03f



b476f836-36dd-4c30-9a8e-0587c5d34b8d
2014-01-09 10:45:42.15
Application: Report started
BIG
Workflow
Event
General
WorkflowHost


0
5420
e2ac3262e9b9d03f


PLs help....:)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-23-2014 08:01 AM

This works fine for me with your sample data.

On Indexer, 

props.conf

[thexml]
BREAK_ONLY_BEFORE = ^\<message\>
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT-xmlext = xmlkv-alternative

transforms.conf

[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-23-2014 08:01 AM

This works fine for me with your sample data.

On Indexer, 

props.conf

[thexml]
BREAK_ONLY_BEFORE = ^\<message\>
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT-xmlext = xmlkv-alternative

transforms.conf

[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2
Reply
Solved! Jump to solution

20065945
Explorer
‎07-23-2014 05:48 AM

Thanks strive but I went through all these links. There is no solution over there. All the conversations are stuck at one point. Hence failure. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...