Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I exclude XML file headers from being inde...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Splunkers!
I have some XML log files that I'm monitoring on a Windows 2003 server. I got my line/event breaking set up and that's all good. However, I'm getting separate events with the XML header and the master tag that defines the beginning of the file.
<?xml version="1.0" encoding="utf-8" ?>
<log>
I also have events with just in them. I want to send these events to nullQueue but I'm not sure of the exact RegEx syntax I should use. Here is my config:
**PROPS.CONF**
[suckylogs:xml]
TRANSFORMS-nullXmlHeader = chuckXmlHeader
**TRANSFORMS.CONF**
[chuckXmlHeader]
REGEX = (?m)^(<\?xml)|(<log>)|(</log>)
DEST_KEY = queue
FORMAT = nullQueue
I'm not sure if I should have 3 separate capture groups like I have here or one big one.
Any assistance is appreciated! Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the answer already after testing it myself, but I wanted to post this question because I did not see any questions for this specific issue. Here is the proper TRANSFORMS entry with one big capture group with multiple conditions (separated by a pipe):
[chuckXmlHeader]
REGEX = (?m)^(<\?xml|<log>|</log>)
DEST_KEY = queue
FORMAT = nullQueue
If you just want to chuck the XML header because you don't have any other events, then this should work for you:
[chuckXmlHeader]
REGEX = (?m)^(<\?xml)
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the answer already after testing it myself, but I wanted to post this question because I did not see any questions for this specific issue. Here is the proper TRANSFORMS entry with one big capture group with multiple conditions (separated by a pipe):
[chuckXmlHeader]
REGEX = (?m)^(<\?xml|<log>|</log>)
DEST_KEY = queue
FORMAT = nullQueue
If you just want to chuck the XML header because you don't have any other events, then this should work for you:
[chuckXmlHeader]
REGEX = (?m)^(<\?xml)
DEST_KEY = queue
FORMAT = nullQueue
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
