All Apps and Add-ons

XML Input / first character is missing

tcoq
Path Finder

Hi together,

I'am trying to get some XML input into Splunk, but everytime the first character ("<") is missing. Due to this, Splunk cannot read XML correctly: (on two different sources)

from example-source: www.ecb.europa.eu/stats/eurofxref/eurofxref-daily.xml

this input:
<xml version="1.0" encoding="UTF-8"?><gesmes:Envel...
is getting this:
xml version="1.0" encoding="UTF-8"?><gesmes:Envel...

Is there anyone who knows why the first character is missing?

Best regard
Steffen

Tags (1)
0 Karma

mtimmsj
Explorer

The display issue appears to be corrected in 6.0.1.

yannK
Splunk Employee
Splunk Employee

This is a display issue, when you display with
source=myxmlsource | table _raw, the "<" is present.

by the way the xml starts with <?xml not <xml

when I test with <xml version="1.0" encoding="UTF-8">, the event are correctly displayed.

mtimmsj
Explorer

Hmmm if I pipe my sources to spath and then pipe that to xmlkv, I get the results I expect.

0 Karma

tries
Path Finder

I'm having exactly the same issue. My props.conf:

[host::rabbitmq]

SHOULD_LINEMERGE = true

BREAK_ONLY_BEFORE = \<\?xml\sversion

Is there a solution available for this issue ?

Thanks,

Thorsten

0 Karma

mtimmsj
Explorer

How did your ticket go? Should I send my colleague - who has access support - to open a Splunk ticket as well?

0 Karma

tries
Path Finder

just checked this with Splunk 5.0.5 and it's working. Seems like an Splunk 6.0 bug. I'll open a Splunk ticket.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...