Splunk Search

How to feed .xml data into Splunk to run searches on?

rakeshcse2
New Member

I have some .xml files at a location say: C/test/logs

How can I configure Splunk to fetch those xml files and show results during a search operation?

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

rakeshcse2
New Member

These links has lot of information, but my question is which file needs to be modified?

props.conf or input.conf ?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Do not modify your .conf files yet..

Go to the server which you want the data off of. Then install a forwarder (See below). Once you have that forwarder installed you will then go to your inputs.conf (etc/system/local) and you will create a stanza.. Your stanza should look like this (This should be defined on the forwarder, not the idnexer)

[host::hostname]
sourcetype=log4j
index= YOUR_Index_NAME

http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/DeployaWindowsdfmanually

0 Karma

rakeshcse2
New Member

The forwarder is already installed and the search server is also able to read/parse the .log files on this host.
Installation directory: C:\Program Files\SplunkUniversalForwarder

And i can see the below in the file that you mentioned:

[default]
host = XXXX

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

So far for any changes we always modify the conf files on the main deployment server and not on each host individually.
Where do we need to add the code for .xml files?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

There's a few ways of doing this.. You can either upload them manually into Splunk (See documentation below) or you can set up a forwarder to automatically upload data into Splunk as it comes in.. I'd recommend using a forwarder

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Uploaddata

0 Karma

skoelpin
SplunkTrust
SplunkTrust

When you say "search server" do you mean the indexer? You need to define your index name on the forwarder and not the indexer..

So say you have a server called 'SRV-Aux01' you want to collect log files from.. You will then go to that server and install a forwarder on it, you will then go to etc/system/local/inputs.conf and define your stanza which includes your index name.

If you wanted to define the linebreaking or anything related, you will do that on the indexer

0 Karma

rakeshcse2
New Member

how its knows the .xml logs location ? i have not provided anything in the conf files!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

If this was helpful then please accept my answer

0 Karma

skoelpin
SplunkTrust
SplunkTrust

If you do not specify the index name in your inputs.conf then it will automatically be in index=main

0 Karma

rakeshcse2
New Member

In my scenario, the forwarder has already been installed on SRV-Aux01.
We do not modify any files on the hosts manually. Instead, we have a splunk deployment server (that talks to all the hosts).

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Then it is already picking up those logs.. If you did not define the index on the forwarder then it's in index=main which is the default index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...