Splunk XML data formatting

smusunuri1 · ‎12-30-2015

I trying to split the xml data while pushing into splunk. I had a tough time working on this as this a combination of XML and CSV format.

Input:

10:26:10 PST 16 Nov 2015
    <employee details="ename;position;branch" department="XYZ">AA;systems engineer;seattle
</employee>

1:26:10 PST 16 Nov 2015
    <employee details="ename;position;branch" department="XYZ">BB;Lead;seattle
CC;Tech Lead,Redmond    
</employee>

6:26:10 PST 16 Nov 2015
    <employee details="ename;position;branch" department="XYZ">DD;data architect;annapolis
</employee>

Expected Output:

ename position branch
AA systems engineer seattle
BB Lead seattle
CC Tech Lead Redmond
DD data architect annapolis

sundareshr · ‎12-30-2015

Unless this sample is incomplete, I don't see valid XML. If this data is correct, then you can strip out the unwanted data using SEDCMD in your props.conf like this

SEDCMD-removeunwanted=s/(\<.*\>)//g

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles

Now to extract the fields, use the DELIMS in your transforms... like so

[extract_fields]
DELIMS = ";"
FIELDS = "ename", "position", "branch"

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Transformsconf

Splunk XML data formatting

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Are you a member of the Splunk Community?

Splunk XML data formatting

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...