Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

help indexing XML

johnrbhancock
Engager
‎12-18-2023 02:22 PM

I am attempting to ingest an XML file but am getting stuck can someone please help. The data will ingest if I remove "BREAK_ONLY_BEFORE =\<item\>"  but with a new event per item.

 

this is the XML and code I have tried

 

<?xml version="1.0" standalone="yes"?>
<DocumentElement>
  <item>
    <hierarchy>ASA</hierarchy>
    <hostname>AComputer</hostname>
    <lastscandate>2023-12-17T11:08:21+11:00</lastscandate>
    <manufacturer>VMware, Inc.</manufacturer>
    <model>VMware7,1</model>
    <operatingsystem>Microsoft Windows 10 Enterprise</operatingsystem>
    <ipaddress>168.132.11.200</ipaddress>
    <vendor />
    <lastloggedonuser>JohnSmith</lastloggedonuser>
    <totalcost>0.00</totalcost>
  </item>
  <item>
    <hierarchy>ASA</hierarchy>
    <hostname>AComputer</hostname>
    <lastscandate>2023-12-17T12:20:21+11:00</lastscandate>
    <manufacturer>Hewlett-Packard</manufacturer>
    <model>HP Compaq Elite 8300 SFF</model>
    <operatingsystem>Microsoft Windows 8.1 Enterprise</operatingsystem>
    <ipaddress>168.132.136.160</ipaddress>
    <vendor />
    <lastloggedonuser>JohnSmith</lastloggedonuser>
    <totalcost>0.00</totalcost>
  </item>
  <item>
    <hierarchy>ASA</hierarchy>
    <hostname>AComputer</hostname>
    <lastscandate>2023-12-17T11:54:28+11:00</lastscandate>
    <manufacturer>HP</manufacturer>
    <model>HP EliteBook 850 G5</model>
    <operatingsystem>Microsoft Windows 10 Enterprise</operatingsystem>
    <ipaddress>168.132.219.32, 192.168.1.221</ipaddress>
    <vendor />
    <lastloggedonuser>JohnSmith</lastloggedonuser>
    <totalcost>0.00</totalcost>
  </item>
  <item>
    <hierarchy>ASA</hierarchy>
    <hostname>AComputer</hostname>
    <lastscandate>2023-12-17T11:50:20+11:00</lastscandate>
    <manufacturer>VMware, Inc.</manufacturer>
    <model>VMware7,1</model>
    <operatingsystem>Microsoft Windows 10 Enterprise</operatingsystem>
    <ipaddress>168.132.11.251</ipaddress>
    <vendor />
    <lastloggedonuser>JohnSmith</lastloggedonuser>
    <totalcost>0.00</totalcost>
  </item>

 

Inputs.conf

[monitor://D:\SplunkImportData\SNOW\*.xml]
sourcetype=snow:all:devices
index=asgmonitoring
disabled = 0

 

Props.conf

[snow:all:devices]
KV_MODE=xml
BREAK_ONLY_BEFORE =\<item\>
SHOULD_LINEMERGE = false
DATETIME_CONFIG = NONE
Labels (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-21-2023 06:38 AM

When using BREAK_ONLY_BEFORE, set SHOULD_LINEMERGE = true.

[snow:all:devices]
KV_MODE=xml
BREAK_ONLY_BEFORE =\<item>
SHOULD_LINEMERGE = true
DATETIME_CONFIG = NONE
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...