Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to add and parse XML data in Splunk?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prijila
Engager
11-17-2014
11:48 AM
Hi,
I have an XML file as my source file. It has the following structure:
<photos>
<photo id="123" title="Birthday" format="jpg">
<owner id="1111">Jason</owner>
<comments>
<comment ownerid="112">Good pic!</comment>
<comment ownerif="223">Happy birthday</comment>
<comments>
</photo>
</photos>
How do i parse this and load this data into splunk?
Thank you in advance.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vasanthmss
Motivator
11-18-2014
09:38 AM
Hi,
sample xml,
<photos>
<photo id="1231" title="Birthday" format="jpg">
<owner id="1112">Jason</owner>
<comments>
<comment ownerid="113">Good pic!</comment>
<comment ownerid="224">Happy birthday</comment>
<comments>
</photo>
</photos>
props.conf
[yoursourcetype]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<photos>)
MUST_BREAK_AFTER = \</photos\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
FIELDALIAS-rootfields = photo.owner as Owner photo{@id} as PhotoID photo{@title} as PhotoTitle photo.owner{@id} as PhotoOwnerID photo{@format} as PhotoFormat photo.comments.comment{@ownerid} as CommentOwnerID photo.comments.comment as Comment
Search
index=<yourindex> sourcetype=<yoursourcetype> | table PhotoID,PhotoTitle,PhotoFormat,CommentOwnerID,Comment,Owner
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vasanthmss
Motivator
11-18-2014
09:38 AM
Hi,
sample xml,
<photos>
<photo id="1231" title="Birthday" format="jpg">
<owner id="1112">Jason</owner>
<comments>
<comment ownerid="113">Good pic!</comment>
<comment ownerid="224">Happy birthday</comment>
<comments>
</photo>
</photos>
props.conf
[yoursourcetype]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<photos>)
MUST_BREAK_AFTER = \</photos\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
FIELDALIAS-rootfields = photo.owner as Owner photo{@id} as PhotoID photo{@title} as PhotoTitle photo.owner{@id} as PhotoOwnerID photo{@format} as PhotoFormat photo.comments.comment{@ownerid} as CommentOwnerID photo.comments.comment as Comment
Search
index=<yourindex> sourcetype=<yoursourcetype> | table PhotoID,PhotoTitle,PhotoFormat,CommentOwnerID,Comment,Owner
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
donaldwayne1975
Path Finder
03-15-2017
06:58 AM
Very helpful. working with an XML that the designer decided to embed more fields in the value between the tags like this:
$field1=stuff,$field2=morestuff,$field3=evenmorestuff
Have not found a way to get these $fields to extract successfully. Suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akocak
Contributor
08-30-2018
03:04 PM
@donaldwayne1975
You can add EVAL into your props for this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ifremer2015
New Member
04-21-2015
04:04 PM
Which props.con should we modify ? ../etc/system or ..etc/apps
Thank you !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krishnarajb2304
Explorer
08-10-2015
11:49 AM
In-case if the sourcetype belongs to one application you can update this in application (/etc/apps//local/props.conf.
The same sourcetype can be re-used in more than one application you can add it in system props.conf
/etc/system/local/props.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aljohnson_splun
Splunk Employee
11-17-2014
04:30 PM
This might be helpful:
http://answers.splunk.com/answers/683/xml-input-line-breaking-and-field-extraction-how.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Raghav2384
Motivator
11-17-2014
11:53 AM
xmlkv and path should help you. Please refer this answer http://answers.splunk.com/answers/54957/how-to-extract-data-from-xml.html
Hope this helps.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RMcCurdyDOTcom
Explorer
09-26-2023
06:59 AM
nmap XML to SPLUNK HEC !!!
https://github.com/freeload101/SCRIPTS/blob/b3f83288a9f289d86f6cdd04898478d0427097ce/Bash/NMAP_FRUIT.sh#L80
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RMcCurdyDOTcom
Explorer
09-26-2023
07:02 AM
got nasty gram for posting links
search online for freeload101 github in scripts nmap_fruit.sh
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
