- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- xml log line breaking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have an xml as below, which is not which not correctly formatted ( whole xml is on one line). I am trying to configure a props.conf file to extract the following xml in the following format.
<listing
<record
</record>
<record
</record>
<record
</record>
</listing>
The props setting looks like below. But i am not able break them to a tree structure as shown above.
Could anyone please help ?
The following props.conf is working well when the xml is put to a xml formatter to format them to a proper xml structure. But otherwise not.
[testing]
BREAK_ONLY_BEFORE = <record
KV_MODE = xml
MUST_BREAK_AFTER = </record>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 1000000
<?xml version="1.0" ?><listing action="Services" count="71"><message message="Listing is displayed" status="success"/> <record AuthDSId="null" AuthFormPostUrl="null" AuthFormType="null" BackupAcquirer="null" TraceExpires="null" UnicastDataQos="-1" WeakCertification="false" genId_="82497"> <list name="DirectClusterAssignments" size="0" type="ClusterConfig"/> <list name="PChannelToClusterAssignments" size="0" type="ClusterConfig"/> <list name="PChannelToDeviceGroupAssignments" size="0" type="DeviceGroup"/> <list name="DeviceGroups" size="1" type="DeviceGroup"> <entry id="DeviceGroup_388"/> </list> <list name="Playlists" size="0" type="Playlist"/><list name="LibraryNodes" size="0" type="LnConfig"/><list name="CachingNodes" size="0" type="CnConfig"/> </record> <record AuthDSId="null" AuthFormPostUrl="null" Fqdn="bpm.test.com" WeakCertification="false" genId_="82899"> <list name="DsvcLocations" size="0" type="DsvcLocation"/> <list name="ChannelMCasts" size="0" type="ChannelMCast"/> </record> <record AuthDSId="null" AuthFormPostUrl="null" Fqdn="mobile.test.com" WeakCertification="True" genId_="82497"> <list name="DsvcLocations" size="0" type="DsvcLocation"/> <list name="ChannelMCasts" size="0" type="ChannelMCast"/> </record></listing>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have finally figured it out used the following props. I was using the props to be used along with "REST API Modular Input" App. There was a bug in the App - line breaker was ignored, which "Damien" has fixed and provided an updated beta 06 version. (now available in splunkbase)
Thanks
Regards
KK
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = >(\s+)<record
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 1000000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have finally figured it out used the following props. I was using the props to be used along with "REST API Modular Input" App. There was a bug in the App - line breaker was ignored, which "Damien" has fixed and provided an updated beta 06 version. (now available in splunkbase)
Thanks
Regards
KK
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = >(\s+)<record
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 1000000
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
