Getting Data In

xml-challenge: create and fill INDEPENENT Splunk-fields for repeating nested -Structures

Path Finder


I am trying to find a solution to an easy sounding problem: I am having an xml input file, which contains billing data.
For each , I can have several contained tags and , that belong to the same Invoice.
Each of the again can have different contained.

Here is an anonymized example of one , the xml source file starts with other data (other tags), then lots of can follow :

//some other xml structures
/lots of <Invoices> ...

<someothertags and infos>
  <Item id="bla1">
      <Name>Subscription moving-out fees</Name>
    <Item id="bla2">
      <Name>Subscription moving-in fees</Name>
    <Item id="bla2">
    <Item id="bla3">
      <Name>APN account cycle fees censored</Name>


Now, for each of the .. events, I want to create an event that then contains all the infos in the tags contained inside the Invoice event. I achieved this using:

[ xml-breakbefore-Invoice ]

Now, the challenge is: Splunk seems to simply concatenate subtag fields values into single fields, so for , I am getting the attached result in Splunk: Seems it is just inserting spaces btw. the values found in the items/subitems -> fields.

But I want to be actually able to have them in single fields, e.g. by "item", bc. they belong to different items and there are many other subtags from that should not be "merged" together. Please note: the can "show up" even at different levels, e.g. within and - they should not get mixed !

E.g, for Netamount example above, I want to have like (note: nbr of items/subitems can vary btw. each Invoice, when an invoice has less than max, fields can be empty):

Invoice.ItemsInfo.Item1.NetAmount = 0
Invoice.ItemsInfo.Item2.NetAmount = 0
Invoice.ItemsInfo.Item3.NetAmount = 150
Invoice.ItemsInfo.Item4.NetAmount = 150

Is there a simple way (e.g. I do not want to have crazy regex/evals that work on the "intermediate" results above) to achieve this by adjusting the configuration [ xml-breakbefore-Invoice ] above to have the fields I want? Or is this too complicated within the xml-import- config and some (ugly) .xslt preprocessing etc. would need to be done "outside" Splunk?

Best Regards

alt text

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...