Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change from XML format to "Normal" format?

jamie1
Communicator
‎03-31-2023 07:50 AM

Hi there,

Before installing the Windows TA addon to a server , Windows Event Logs were shown in a different format, they are now shown in XML. I want to see searches in the original format.

I have checked the inputs.conf file and noticed "renderXml=true", I changed this to "renderXml=false" but it hasn't made a difference. 

Any help would be appreciated.

Jamie

Labels (3)
Preview file
20 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2023 08:08 AM

Hi @jamie1,

then try :

 

renderXml = false

then, a very stupid question (only to cancel every possible error!): obviously you restarted Splunk on the UF after update.

 

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2023 07:54 AM

Hi @jamie1,

add 

renderXml = False

to your inputs.conf stanzas.

For more infos, see at https://docs.splunk.com/Documentation/Splunk/9.0.4/admin/Inputsconf

renderXml = <boolean>
* Whether or not the input returns the event data in XML (eXtensible Markup
  Language) format or in plain text.
* Set this to "true" to render events in XML.
* Set this to "false" to output events in plain text.
* If you set this setting to "true", you should also set the 'suppress_text',
  'suppress_sourcename', 'suppress_keywords', 'suppress_task', and
  'suppress_opcode' settings to "true" to improve thruput performance.
* Default: false

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jamie1
Communicator
‎03-31-2023 08:01 AM

Hi Giuseppe,

I have added this line to the stanzas within the UF inputs.conf and the Windows TA inputs.conf and it doesn't seem to have worked.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2023 08:08 AM

Hi @jamie1,

then try :

 

renderXml = false

then, a very stupid question (only to cancel every possible error!): obviously you restarted Splunk on the UF after update.

 

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jamie1
Communicator
‎03-31-2023 08:14 AM

Hi @gcusello,

Switching to lowercase and spacing the words between the = fixed it.

Thanks for your help 🙂

Jamie

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-31-2023 08:42 AM

Hi @jamie1,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...