Hello
I did try XML extractions before on 4.3 which used to work fine. But in 6 I seem to have an issue.
Here is my config
BREAK_ONLY_BEFORE =^\<\?xml
SHOULD_LINEMERGE = true
MAX_TIMESTAMP_LOOKAHEAD=200
KV_MODE = xml
And the data looks like
<?xml version="1.0" encoding="UTF-8" ?>
<ResultSetData>
<Row>
<Column name="DATE_TIME">2/21/2014 9:35:53</Column>
<Column name="HOST_NAME">xxxxx</Column>
<Column name="INSTANCE_NAME">yyyyy</Column>
<Column name="USERNAME">aaaaaa</Column>
<Column name="PROFILE">zzzzz</Column>
<Column name="ACCOUNT_STATUS">ccccc</Column>
</Row>
</ResultSetData>
Line breaking and timestamp looks good but the field extractions doesn't seem to work.Any ideas?
When I use spath that works again
Any idea if this can be done?
we have it in the format
In addition, you probably just want to start with the
I did that too . Line Break isn't really a problem here as I am not really particular about it. Looks like I will have to change the format of the XML now. Is there no way for us to make splunk do those extractions in KV_MODE as XML?
Is it the