How can I add and parse the XML data into Splunk

vidhyaArumalla · ‎07-18-2018

I am getting an XML of below format

<result>
    <attribute>
    <display_value/>
    <value/>
    </attribute>
    <u_State>
        <display_value>Georgia</display_value>
        <value>Georgia</value>
    </u_State>
    <u_city>
        <display_value>Atlanta</display_value>
        <value>Atlanta</value>
    </u_city>
    <u_supplier_name>
    <display_value/>
    <value/>
</result>

I found a solution at https://answers.splunk.com/answers/187195/how-to-add-and-parse-xml-data-in-splunk.html but is not helping me with mentioned xml format for field extractions during data ingestion.

sudosplunk · ‎07-19-2018

Hello @vidhyaArumalla,

Based on the sample data, below configuration should get you started.

Please note that, I am using DATETIME_CONFIG = NONE setting because, there is no timestamp available in the sample data. If this is the case with real data, this setting will leave the event time set to whatever time was selected by the input layer(for ex: Universal forwarder). If timestamp is available in data, then you should use TIME_FORMAT & TIME_PREFIX settings to explicitly extract timestamps. Let me know if this helps.

Props.conf

[custom_sourcetype_XML]
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)\<result\>
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
EXTRACT-State = \<u\_State\>\s*\<display\_value\>(?<State>\w+)\<\/
EXTRACT-City = \<u\_city\>\s*\<display\_value\>(?<City>\w+)\<\/

How can I add and parse the XML data into Splunk

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

How can I add and parse the XML data into Splunk

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)