Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where and how do I configure a sourcetype for generic xml?

dorbi
Explorer
‎12-20-2022 07:11 AM

Hey there!

I'm trying to monitor(batch)) a folder congaing  xml files, 

the XML files don't necessarily have the same structure, also they have multiple hierarchy and the level of it might vary .

where and how do i configure a sourcetype the know's how to handle this kind of a case so i won't have to parse the data with rex on search time.

 

example for a file that may exists:

dorbi_0-1671549060796.png

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2022 08:41 AM

The rex command is very flexible, but there are others you can use.  Consider xpath and xmlkv.

In props.conf, consider using KV_MODE = xml to have Splunk automatically extract fields.

---
If this reply helps you, Karma would be appreciated.
Reply

dorbi
Explorer
‎12-21-2022 02:38 AM

Writing regex with Rex field =_raw.. 

Is a great solution but I would like to do it at source type level so I won't have to write long and complicated querys.

I tried xmlkv and kv_mode = xml both doesn't extract fields with 2 or more levels of hierarchy so I'm missing a lot of fields.

Any more suggestions please?

 

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2022 06:16 AM

Have you tried KV_MODE = xml in props.conf?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dorbi
Explorer
‎12-22-2022 01:28 AM

is there a way to see how it will work before applying it ? 

so if it won't work as planned i won't have to delete all the data inserted?

did you happen to check how it works on generic xml files or any sample from some place else?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-22-2022 06:49 AM

Regrettably, there is no way to see how fields will be extracted before ingesting data.  The Extract FIeld wizard lets you preview extractions, but requires onboarded events.

This is a good use for a test system, even if it's your workstation.  Capture some sample data in a file, transfer the file to the test system and experiment with field extractions there.  Once you have it working as desired, export the settings in an app for installation in Production.  When you're done, just delete the index you used for testing.

If you can't use a test system then you'll have to test in Production.  Use a separate index (I call mine "test") until you have the extractions working right.  Since you're likely to be using search-time extractions, you should need to ingest the data only once.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...