Getting Data In

How do I parse this XML output into splunk?

edtayloreyc
New Member

How do I parse this XML output into Splunk?

<configResolveClass cookie="1465464629/12a64fe8-34d5-14d5-8038-86f9029bca70" response="yes" classId="faultInst">
    <outConfigs>
        <faultInst ack="yes" cause="equipment-degraded" code="F0997" created="Thu Jan  7 20:29:58 2016" descr="Storage Raid Battery SLOT-3 Degraded: please check the battery or the storage controller" affectedDN="sys/rack-unit-1/board/storage-SAS-SLOT-3/raid-battery" highestSeverity="critical" id="3539993344" lastTransition="Thu Jan  7 19:46:32 2016" lc="flapping" occur="45" origSeverity="cleared" prevSeverity="cleared" rule="fltStorageRaidBatteryDegraded" severity="minor" tags="storage" type="server" dn="sys/rack-unit-1/board/storage-SAS-SLOT-3/raid-battery/fault-F0997" />
    </outConfigs>
</configResolveClass>

Currently Splunk treats the whole chunk as a block. Here is my props.conf:

[ciscofaults]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = <faultInst
MUST_BREAK_AFTER = </faultInst>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
0 Karma
1 Solution

coltwanger
Contributor

Do you want to just pull out the key value pairs or parse the actual XML or both?

This will at least pull out the key-value pairs:

[ciscofaults]
BREAK_ONLY_BEFORE = </faultInst>
DATETIME_CONFIG = 
LINE_BREAKER = <faultInst
NO_BINARY_CHECK = true
category = Custom
kv_mode = auto
pulldown_type = true

View solution in original post

coltwanger
Contributor

Do you want to just pull out the key value pairs or parse the actual XML or both?

This will at least pull out the key-value pairs:

[ciscofaults]
BREAK_ONLY_BEFORE = </faultInst>
DATETIME_CONFIG = 
LINE_BREAKER = <faultInst
NO_BINARY_CHECK = true
category = Custom
kv_mode = auto
pulldown_type = true

edtayloreyc
New Member

Thanks for the replies. I'd like to also parse the actual XML. This does pull out the KV pairs..

0 Karma

edtayloreyc
New Member

This works quite well actually. This is what I need. Thanks for the assistance and the knowledge.

0 Karma

ryanoconnor
Builder

Is your data coming into the sourcetype ciscofaults?

Is this props.conf file on an Indexer or Heavy Forwarder?

Keep in mind MUST_BREAK_AFTER will only be applied if SHOULD_LINEMERGE=true so you don't need the MUST_BREAK_AFTER line.

You're probably going to need a different LINE_BREAKER command. Can you post the raw events of a couple events?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...