Re: spunk data input - xml

syloee · ‎06-27-2021

This is data file(<Interceptor>~~~</Interceptor><Interceptor>~~~</Interceptor>)

<?xml version="1.0" encoding="UTF-8" ?><dataroot><Interceptor><AttackCoords>-80.33100097073213,25.10742916222947</AttackCoords><Outcome>Interdiction</Outcome><Infiltrators>23</Infiltrators><Enforcer>Ironwood</Enforcer><ActionDate>2013-04-24</ActionDate><ActionTime>00:07:00</ActionTime><RecordNotes></RecordNotes><NumEscaped>0</NumEscaped><LaunchCoords>-80.23429525620114,24.08680387475695</LaunchCoords><AttackVessel>Rustic</AttackVessel></Interceptor>

-> i want to this ↓

i use
LINE_BREAKER = <Interceptor>
MUST_BREAK_AFTER = \</Interceptor\>

but i can't do.

What can I do?

venkatasri · ‎06-27-2021

Hi @syloee

You can try following, make sure you set TIME* stamp extractions as well. Following works for event starts with <Interceptor> and the same tag would be truncated you won't find it in the event. These settings should be deployed to HF/indexer.

[ __auto__learned__ ]
SHOULD_LINEMERGE=false
LINE_BREAKER=(\<Interceptor\>)
NO_BINARY_CHECK=true

----

An upvote would be appreciated and Accept solution if it helps!

syloee · ‎06-27-2021

thank you very much

venkatasri · ‎06-27-2021

@syloee Hope it helped. Appreciate if you could Accept solution.

spunk data input - xml

inputs.conf

props.conf

transforms.conf

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration