Have recently installed the new Splunk 6 and started the process of building Data models. Most of my data sources tend to be application based logs with very mixed formats and it doesn't make sense to specify the entire file as XML. As a result, when building a targeted search/dashboard I will pipe "|" my search to xmlkv to extract the input request portion.
With the new Data Model, it is easy enough to add children that narrow the search result to just the lines that contain XML data, but I'm not seeing a way to easily add all XML attributes (short of 1 by 1 single extractions)
Am I overlooking something?
... View more