- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I add and parse the XML data into Splunk
I am getting an XML of below format
<result>
<attribute>
<display_value/>
<value/>
</attribute>
<u_State>
<display_value>Georgia</display_value>
<value>Georgia</value>
</u_State>
<u_city>
<display_value>Atlanta</display_value>
<value>Atlanta</value>
</u_city>
<u_supplier_name>
<display_value/>
<value/>
</result>
I found a solution at https://answers.splunk.com/answers/187195/how-to-add-and-parse-xml-data-in-splunk.html but is not helping me with mentioned xml format for field extractions during data ingestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @vidhyaArumalla,
Based on the sample data, below configuration should get you started.
Please note that, I am using DATETIME_CONFIG = NONE setting because, there is no timestamp available in the sample data. If this is the case with real data, this setting will leave the event time set to whatever time was selected by the input layer(for ex: Universal forwarder). If timestamp is available in data, then you should use TIME_FORMAT & TIME_PREFIX settings to explicitly extract timestamps. Let me know if this helps.
[custom_sourcetype_XML]
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)\<result\>
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
EXTRACT-State = \<u\_State\>\s*\<display\_value\>(?<State>\w+)\<\/
EXTRACT-City = \<u\_city\>\s*\<display\_value\>(?<City>\w+)\<\/
