Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- xml rest import not spltting into envents
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
xml rest import not spltting into envents
gkwl22000
New Member
08-15-2018
07:59 AM
I have a dashboard xml export from another app. the xml does not appear to be forrmatted as true xml using <> for some sections. in the sample code below I need the break on each section starting with chartdashlet (ie each section is an event). I have added the following line in the props.conf
BREAK_ONLY_BEFORE = (?m)^(<chartdashlet)
the regex is supposed to cause the break before each chartdashlet entry
Sourcetype props.conf entry:
[dynatrace_cbosys_xml]
SHOULD_LINEMERGE = true
#LINE_BREAKER = }(,){
BREAK_ONLY_BEFORE = (?m)^(<chartdashlet)
SEDCMD-remove_header = s/\{\"meta.+?data\":\[//g
SEDCMD-remove_footer = s/\]\}//g
TRUNCATE = 0
The xml input still comes in as one event. See sample xml event below:
<?xml version="1.0" encoding="utf-8"?><dashboardreport name="CBOSYS_Application_Status" version="7.0.7.1013" reportdate="2018-08-15T10:55:06.637-04:00" description=""> <source name="Branch-Capture"> <filters summary="last 15s"> <filter>tf:OffsetTimeframe?15:SECONDS</filter> </filters> </source> <reportheader> <reportdetails> <user>kl4m</user> </reportdetails> </reportheader> <data> <chartdashlet name="Heap Utilization" description="" showabsolutevalues="false"> <measures structuretype="tree"> <measure measure="Memory Utilization" color="#c00000" aggregation="Average" unit="%" thresholds="true" drawingorder="1"> <measurement timestamp="1534344900000" avg="43.397125244140625" min="43.397125244140625" max="43.397125244140625" sum="43.397125244140625" count="1"></measurement> </measure> </measures> </chartdashlet> <chartdashlet name="Failed Transactions" description="" showabsolutevalues="false"> <measures structuretype="tree"> <measure measure="Failed Transaction Percentage" color="#cd1919" aggregation="Average" unit="%" thresholds="true" drawingorder="1"></measure> </measures> </chartdashlet> <chartdashlet name="Web Page Response" description="" showabsolutevalues="false"> <source> <filters summary="last 5 minutes"> <filter>tf:Last5Min</filter> </filters> </source> <measures structuretype="tree"> <measure measure="HttpStatusCode" color="#000000" aggregation="Last" unit="num" thresholds="true" drawingorder="1"> <measurement timestamp="1534344690000" avg="200.0" min="200.0" max="200.0" sum="200.0" count="1"></measurement> </measure> </measures> </chartdashlet> <chartdashlet name="JVM Availability" description="" showabsolutevalues="false"> <measures structuretype="tree"> <measure measure="JVM Availability - BC" color="#c080c0" aggregation="Last" unit="num" thresholds="true" drawingorder="1"> <measurement timestamp="1534344900000" avg="20.0" min="20.0" max="20.0" sum="20.0" count="1"></measurement> </measure> </measures> </chartdashlet> <chartdashlet name="JDBC Pool" description="" showabsolutevalues="false"> <measures structuretype="tree"> <measure measure="JDBC Connection Pool Percent Used" color="#004080" aggregation="Average" unit="%" thresholds="true" drawingorder="1"> <measurement timestamp="1534344900000" avg="0.0" min="0.0" max="0.0" sum="0.0" count="2"></measurement> </measure> </measures> </chartdashlet> <chartdashlet name="Response Time" description="" showabsolutevalues="false"> <measures structuretype="tree"> <measure measure="Web Page Requests" color="#0000c0" aggregation="Average" unit="ms" thresholds="true" drawingorder="1"></measure> </measures> </chartdashlet> </data></dashboardreport>
avg = 43.397125244140625
max = 43.397125244140625
measure = Memory Utilization
min = 43.397125244140625
name = CBOSYS_Application_Status
Any help is extremely appreciated
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Monitoring AI Agents with Splunk Observability Cloud
Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...
[Puzzles] Solve, Learn, Repeat: Tiling
This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Thursday, July 9, 2026 | 11:00AM–12:00PM PDT
Duration: 1 hour (includes Q&A)
Managing can feel like a ...
