How can I add and parse the XML data into Splunk

vidhyaArumalla · ‎07-18-2018

I am getting an XML of below format

<result>
    <attribute>
    <display_value/>
    <value/>
    </attribute>
    <u_State>
        <display_value>Georgia</display_value>
        <value>Georgia</value>
    </u_State>
    <u_city>
        <display_value>Atlanta</display_value>
        <value>Atlanta</value>
    </u_city>
    <u_supplier_name>
    <display_value/>
    <value/>
</result>

I found a solution at https://answers.splunk.com/answers/187195/how-to-add-and-parse-xml-data-in-splunk.html but is not helping me with mentioned xml format for field extractions during data ingestion.

sudosplunk · ‎07-19-2018

Hello @vidhyaArumalla,

Based on the sample data, below configuration should get you started.

Please note that, I am using DATETIME_CONFIG = NONE setting because, there is no timestamp available in the sample data. If this is the case with real data, this setting will leave the event time set to whatever time was selected by the input layer(for ex: Universal forwarder). If timestamp is available in data, then you should use TIME_FORMAT & TIME_PREFIX settings to explicitly extract timestamps. Let me know if this helps.

Props.conf

[custom_sourcetype_XML]
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)\<result\>
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
EXTRACT-State = \<u\_State\>\s*\<display\_value\>(?<State>\w+)\<\/
EXTRACT-City = \<u\_city\>\s*\<display\_value\>(?<City>\w+)\<\/

How can I add and parse the XML data into Splunk

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How can I add and parse the XML data into Splunk

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I