I am trying to find a solution to an easy sounding problem: I am having an xml input file, which contains billing data.
For each , I can have several contained tags and , that belong to the same Invoice.
Each of the again can have different contained.
Here is an anonymized example of one , the xml source file starts with other data (other tags), then lots of can follow :
Now, the challenge is: Splunk seems to simply concatenate subtag fields values into single fields, so for , I am getting the attached result in Splunk: Seems it is just inserting spaces btw. the values found in the items/subitems -> fields.
But I want to be actually able to have them in single fields, e.g. by "item", bc. they belong to different items and there are many other subtags from that should not be "merged" together. Please note: the can "show up" even at different levels, e.g. within and - they should not get mixed !
E.g, for Netamount example above, I want to have s.th. like (note: nbr of items/subitems can vary btw. each Invoice, when an invoice has less than max, fields can be empty):
Is there a simple way (e.g. I do not want to have crazy regex/evals that work on the "intermediate" results above) to achieve this by adjusting the configuration [ xml-breakbefore-Invoice ] above to have the fields I want? Or is this too complicated within the xml-import- config and some (ugly) .xslt preprocessing etc. would need to be done "outside" Splunk?