Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I parse this XML output into splunk?

edtayloreyc
New Member
‎06-09-2016 06:29 AM

How do I parse this XML output into Splunk?

<configResolveClass cookie="1465464629/12a64fe8-34d5-14d5-8038-86f9029bca70" response="yes" classId="faultInst">
    <outConfigs>
        <faultInst ack="yes" cause="equipment-degraded" code="F0997" created="Thu Jan  7 20:29:58 2016" descr="Storage Raid Battery SLOT-3 Degraded: please check the battery or the storage controller" affectedDN="sys/rack-unit-1/board/storage-SAS-SLOT-3/raid-battery" highestSeverity="critical" id="3539993344" lastTransition="Thu Jan  7 19:46:32 2016" lc="flapping" occur="45" origSeverity="cleared" prevSeverity="cleared" rule="fltStorageRaidBatteryDegraded" severity="minor" tags="storage" type="server" dn="sys/rack-unit-1/board/storage-SAS-SLOT-3/raid-battery/fault-F0997" />
    </outConfigs>
</configResolveClass>

Currently Splunk treats the whole chunk as a block. Here is my props.conf:

[ciscofaults]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = <faultInst
MUST_BREAK_AFTER = </faultInst>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

coltwanger
Contributor
‎06-09-2016 04:00 PM

Do you want to just pull out the key value pairs or parse the actual XML or both?

This will at least pull out the key-value pairs:

[ciscofaults]
BREAK_ONLY_BEFORE = </faultInst>
DATETIME_CONFIG = 
LINE_BREAKER = <faultInst
NO_BINARY_CHECK = true
category = Custom
kv_mode = auto
pulldown_type = true

View solution in original post

Reply
Solved! Jump to solution
Solution

coltwanger
Contributor
‎06-09-2016 04:00 PM

Do you want to just pull out the key value pairs or parse the actual XML or both?

This will at least pull out the key-value pairs:

[ciscofaults]
BREAK_ONLY_BEFORE = </faultInst>
DATETIME_CONFIG = 
LINE_BREAKER = <faultInst
NO_BINARY_CHECK = true
category = Custom
kv_mode = auto
pulldown_type = true
Reply
Solved! Jump to solution

edtayloreyc
New Member
‎06-10-2016 03:20 AM

Thanks for the replies. I'd like to also parse the actual XML. This does pull out the KV pairs..

0 Karma
Reply
Solved! Jump to solution

edtayloreyc
New Member
‎06-10-2016 05:17 AM

This works quite well actually. This is what I need. Thanks for the assistance and the knowledge.

0 Karma
Reply
Solved! Jump to solution

ryanoconnor
Builder
‎06-09-2016 08:40 AM

Is your data coming into the sourcetype ciscofaults?

Is this props.conf file on an Indexer or Heavy Forwarder?

Keep in mind MUST_BREAK_AFTER will only be applied if SHOULD_LINEMERGE=true so you don't need the MUST_BREAK_AFTER line.

You're probably going to need a different LINE_BREAKER command. Can you post the raw events of a couple events?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...