Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: XML Parsing Props.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
XML Parsing Props.conf
uvmk61
New Member
08-14-2019
08:30 AM
Any help is appreciated in parsing the following xml data retrieved from DB connect input.
We just need the Name and Value pair either at props.conf sourcetype definition level or through Field Extraction.
Below is the sample event (image attached).
Thank you!
<ArrayOfDocumentIndexFieldValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DocumentIndexFieldValue ID="812b8dce-7383-425e-b403-11352c417637">
<Value>12345</Value>
<TableValue xsi:nil="true" />
<Name>Transaction ID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="ad4611a6-d971-49f3-a775-d9095b4e7fb0">
<Value>ABCD123</Value>
<TableValue xsi:nil="true" />
<Name>User</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="277221b1-0a7a-4c53-a1ac-f51c9bad27c0">
<Value>17</Value>
<TableValue xsi:nil="true" />
<Name>Business Process ID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="42915916-c309-4c41-bac2-262064b667d4">
<Value>123456</Value>
<TableValue xsi:nil="true" />
<Name>CIN</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="83310d99-0f68-45c7-a1d3-b90d842a5764">
<Value>SMITH JOHN</Value>
<TableValue xsi:nil="true" />
<Name>Name</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="d60e8b6a-f814-41e8-b34c-0ca0621af200">
<Value>ABCD</Value>
<TableValue xsi:nil="true" />
<Name>Scanner ID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="9b0cf138-2e93-4c94-98f4-5f0ebaba38b1">
<Value>1</Value>
<TableValue xsi:nil="true" />
<Name>Page Count</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="a5ef5e01-472c-4fa5-b8a6-801c4b90a787">
<Value>ABC001</Value>
<TableValue xsi:nil="true" />
<Name>Batch Group</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="6e338002-6a46-4275-83a0-a05d43c9a6eb">
<Value>123_ABC_AllDocuments</Value>
<TableValue xsi:nil="true" />
<Name>ProfileName</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="cc4d69bb-9413-47b5-a4a3-99d0218833f1">
<Value>ANNUAL ABCD SNAPSHOT</Value>
<TableValue xsi:nil="true" />
<Name>Document Type</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="d2aac869-57c7-4b01-8b77-70286bcc0fa3">
<Value>AB123</Value>
<TableValue xsi:nil="true" />
<Name>Document Type ID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="8a657e1a-29b3-43ca-8245-c64ccd103022">
<Value>ABCDEF</Value>
<TableValue xsi:nil="true" />
<Name>Document Class</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="d71cd966-0739-4a32-9a9f-a6122c185886">
<Value>True</Value>
<TableValue xsi:nil="true" />
<Name>Expedite</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="adbefc35-c740-4400-bbec-b503b0e227a2">
<Value>ADMIN</Value>
<TableValue xsi:nil="true" />
<Name>Indexer ID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="69b385dd-8196-4c59-972c-478a0fe9799b">
<Value>DOC1</Value>
<TableValue xsi:nil="true" />
<Name>DocID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="64d48d87-6d3e-4363-ab43-ed7b009676d5">
<Value>2019-06-03</Value>
<TableValue xsi:nil="true" />
<Name>Financial Date</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="ce821a54-4207-4533-b2c7-56ebac989ca5">
<Value>123456789</Value>
<TableValue xsi:nil="true" />
<Name>SSNTIN</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="f993b0c6-d075-43cc-a7c8-4e3ecb92564a">
<Value>JOHN</Value>
<TableValue xsi:nil="true" />
<Name>FirstName</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="2925e416-fcaf-4989-b23a-f6b17446c345">
<Value>L</Value>
<TableValue xsi:nil="true" />
<Name>MiddleName</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="b5a0cb13-bb76-4d98-9b3c-673ea948a968">
<Value>SMITH</Value>
<TableValue xsi:nil="true" />
<Name>LastName</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="10e9ffed-c926-487b-b541-5b0686c9aae2">
<Value>True</Value>
<TableValue xsi:nil="true" />
<Name>Active</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="550fa233-b2df-45ba-a7aa-45cc8ce80f59">
<Value>123</Value>
<TableValue xsi:nil="true" />
<Name>BusinessProcessID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="cd59aeb6-10ae-45e7-89ef-8d2964655b1a">
<Value>ANNUAL ABCD SNAPSHOT</Value>
<TableValue xsi:nil="true" />
<Name>DocTypeDesc</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="b48f0838-f8de-4459-9cc4-2ade712d0bc9">
<Value>False</Value>
<TableValue xsi:nil="true" />
<Name>eSignature</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="2646fe10-6c97-48a5-8b4f-009fc6da6e7f">
<Value>False</Value>
<TableValue xsi:nil="true" />
<Name>PasswordProtected</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="0047a4f8-095a-44e2-95fc-42aefbb23bce">
<Value>ABCDEF</Value>
<TableValue xsi:nil="true" />
<Name>ClassifierId</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="3df55d4d-fb54-4a7a-b0d3-031f19e5638e">
<Value>2019-07-24 08:51:32</Value>
<TableValue />
<Name>Transaction Date</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="021a2134-3510-4622-bca6-94df4a3010d7">
<Value>2019-07-24 08:51:32</Value>
<TableValue />
<Name>Scan Date</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="2bc3e3f6-8591-4e50-bb0a-76d628a81e14">
<Value>2019-07-24 08:51:33</Value>
<TableValue />
<Name>Indexer Date</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="f5337a5d-7b62-496c-a724-8e0df9587a20">
<Value />
<TableValue />
<Name>ABCD Name</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="b5a10c20-a4ce-4730-9148-c61dd05f89a5">
<Value />
<TableValue />
<Name>Expiration Date</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="542f48ca-cb5f-4a3b-a8e8-bd239806f20c">
<Value />
<TableValue />
<Name>Issue Location</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="63b1c6eb-700f-4801-b837-70e6859fdc03">
<Value />
<TableValue />
<Name>Issue Date</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="2d406a58-0603-422d-8d97-69453fb249c9">
<Value />
<TableValue />
<Name>Business Name</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="581f3c46-05c6-42c6-8262-60bd7219c5f4">
<Value>P00100000012345</Value>
<TableValue />
<Name>ABCDProcID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="6e488463-5780-4c99-98f0-eb3aa11ba859">
<Value>P0010000001234–123</Value>
<TableValue />
<Name>ABCDProcID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="05d8c0ac-4fae-4e64-97c3-0d5edbc0b064">
<Value />
<TableValue />
<Name>RetentionTrigger</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="483d23ca-d2ef-4ac8-9348-f503f4a41813">
<Value />
<TableValue />
<Name>ACSDocId</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="ecb7cacd-ae81-40fa-923b-ef81fcee9599">
<Value />
<TableValue />
<Name>FileNetID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="a8868f3a-9111-4a5d-9bf6-18c6a798967d">
<Value />
<TableValue />
<Name>SecondaryCIN</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="0f6477de-4b61-40e6-b567-32b9974188d7">
<Value />
<TableValue />
<Name>PrimaryABCDCIN</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="170a7ea8-d3ce-429e-9dc3-6543e0322437">
<Value />
<TableValue />
<Name>ABCDID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="dba49278-bb4c-4ca2-9007-bd28b32f4fc9">
<Value />
<TableValue />
<Name>PrimaryABCDCIN</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="c876ff14-ad1a-4f83-b7dc-11780a23886f">
<Value>ABCD123-ABCD123-ABCD123-ABCD-ABCD123.pdf</Value>
<TableValue />
<Name>FullFileName</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="6e4ee1a0-993e-453e-a3b1-6708a128cf27">
<Value />
<TableValue />
<Name>OldTransactionID</Name>
</DocumentIndexFieldValue>
<DocumentIndexFieldValue ID="7be4c600-1113-4ac1-baaa-1718783d40ad">
<Value />
<TableValue />
<Name>ActimizeId</Name>
</DocumentIndexFieldValue>
</ArrayOfDocumentIndexFieldValue>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
uvmk61
New Member
08-20-2019
08:50 AM
any other suggestions?,any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kawtar
Path Finder
08-14-2019
11:16 AM
Hello,
There is the conf file : props.conf
[yoursourcetype]
KV_MODE=XML
Try this, and restart the splunk instance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
uvmk61
New Member
08-16-2019
06:17 AM
have tried
[sourcetype_name]
INDEXED_EXTRACTIONS = json
KV_MODE = none
and
[yoursourcetype]
KV_MODE=XML
both of them do not generate the fields we need, which are Name and Value pairs.
These are the sample pairs we would like to be able to extract -
Pair
<Value>2019-07-24 08:51:32</Value>
<Name>Scan Date</Name>
Pair
<Value>2019-07-24 08:51:33</Value>
<Name>Indexer Date</Name>
The data is a result of a query running on DB Connect App and as it is, the raw event after indexing is all mixed into 1 multi line event with all Name and Value pairs written in single event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nplamondon
Communicator
08-14-2019
10:22 AM
What part are you having trouble with? What have you tried?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
uvmk61
New Member
08-16-2019
06:18 AM
have tried
[sourcetype_name]
INDEXED_EXTRACTIONS = json
KV_MODE = none
and
[yoursourcetype]
KV_MODE=XML
both of them do not generate the fields we need, which are Name and Value pairs.
These are the sample pairs we would like to be able to extract -
Pair
<Value>2019-07-24 08:51:32</Value>
<Name>Scan Date</Name>
Pair
<Value>2019-07-24 08:51:33</Value>
<Name>Indexer Date</Name>
The data is a result of a query running on DB Connect App and as it is, the raw event after indexing is all mixed into 1 multi line event with all Name and Value pairs written in single event.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Event Series: Splunk Observability Metrics Cost Optimization
Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud
As ...
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...
