Solved: Re: How to add and parse XML data in Splunk?

prijila · ‎11-17-2014

Hi,
I have an XML file as my source file. It has the following structure:

<photos>
     <photo id="123" title="Birthday" format="jpg">
          <owner id="1111">Jason</owner>
          <comments>
              <comment ownerid="112">Good pic!</comment>
              <comment ownerif="223">Happy birthday</comment>
          <comments>
      </photo>
</photos>

How do i parse this and load this data into splunk?

Thank you in advance.

vasanthmss · ‎11-18-2014

Hi,

sample xml,

<photos>
<photo id="1231" title="Birthday" format="jpg">
<owner id="1112">Jason</owner>
<comments>
<comment ownerid="113">Good pic!</comment>
<comment ownerid="224">Happy birthday</comment>
<comments>
</photo>
</photos>

props.conf

[yoursourcetype]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<photos>)
MUST_BREAK_AFTER = \</photos\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
FIELDALIAS-rootfields = photo.owner as Owner photo{@id} as PhotoID photo{@title} as PhotoTitle photo.owner{@id} as PhotoOwnerID photo{@format} as PhotoFormat photo.comments.comment{@ownerid} as CommentOwnerID photo.comments.comment as Comment

Search

index=<yourindex> sourcetype=<yoursourcetype> | table  PhotoID,PhotoTitle,PhotoFormat,CommentOwnerID,Comment,Owner

V

View solution in original post

vasanthmss · ‎11-18-2014

Hi,

sample xml,

<photos>
<photo id="1231" title="Birthday" format="jpg">
<owner id="1112">Jason</owner>
<comments>
<comment ownerid="113">Good pic!</comment>
<comment ownerid="224">Happy birthday</comment>
<comments>
</photo>
</photos>

props.conf

[yoursourcetype]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<photos>)
MUST_BREAK_AFTER = \</photos\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
FIELDALIAS-rootfields = photo.owner as Owner photo{@id} as PhotoID photo{@title} as PhotoTitle photo.owner{@id} as PhotoOwnerID photo{@format} as PhotoFormat photo.comments.comment{@ownerid} as CommentOwnerID photo.comments.comment as Comment

Search

index=<yourindex> sourcetype=<yoursourcetype> | table  PhotoID,PhotoTitle,PhotoFormat,CommentOwnerID,Comment,Owner

V

donaldwayne1975 · ‎03-15-2017

Very helpful. working with an XML that the designer decided to embed more fields in the value between the tags like this:
$field1=stuff,$field2=morestuff,$field3=evenmorestuff
Have not found a way to get these $fields to extract successfully. Suggestions?

akocak · ‎08-30-2018

@donaldwayne1975
You can add EVAL into your props for this.

ifremer2015 · ‎04-21-2015

Which props.con should we modify ? ../etc/system or ..etc/apps

Thank you !

krishnarajb2304 · ‎08-10-2015

In-case if the sourcetype belongs to one application you can update this in application (/etc/apps//local/props.conf.

The same sourcetype can be re-used in more than one application you can add it in system props.conf
/etc/system/local/props.conf.

aljohnson_splun · ‎11-17-2014

This might be helpful:
http://answers.splunk.com/answers/683/xml-input-line-breaking-and-field-extraction-how.html

Raghav2384 · ‎11-17-2014

xmlkv and path should help you. Please refer this answer http://answers.splunk.com/answers/54957/how-to-extract-data-from-xml.html
Hope this helps.
Thanks,
Raghav

RMcCurdyDOTcom · ‎09-26-2023

nmap XML to SPLUNK HEC !!!

https://github.com/freeload101/SCRIPTS/blob/b3f83288a9f289d86f6cdd04898478d0427097ce/Bash/NMAP_FRUIT.sh#L80

RMcCurdyDOTcom · ‎09-26-2023

got nasty gram for posting links

search online for freeload101 github in scripts nmap_fruit.sh

How to add and parse XML data in Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation