How do I configure Splunk to parse XML log files f...

jensonthottian · ‎04-26-2015

I have XML Log files for each transaction in POS

How to get Splunk to process these log file so key-value pairs are created per transaction.
In my case, each transaction is producing a log file - one XML file. So there are a lot of XML files needed to be processed by Splunk.

Is there an approach in Splunk to do it easily?

rsennett_splunk · ‎04-26-2015

There are two things you want to do in your props.conf file in order to parts XML files.
First... you need to tell Splunk where to break your event. Depending on what else is in the file you might want to use something like:

BREAK_ONLY_BEFORE=[you put your regex here]

Or LINE_BREAKER.
Both of these are detailed in the spec for props.conf http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf
Then you'll want to add the directive:
KV_MODE=XML
Which will produce search time field extractions based on your KV pairs.

If the data is already in Splunk and/or you don't have access to the props.conf file you can use spath to do field-time extractions within your search:

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Spath

If you want more specifics, you'll have to show some sample data.

Edit your question, and past sample data within the original question.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

How do I configure Splunk to parse XML log files for each transaction in POS?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...