I'm working with some configuration files I'd like splunk to monitor for changes, specifically Cisco Jabber on a Windows box. When I import this into my dev box (with KV_MODE=xml), it doesn't know what to do with the key value pair (I set the encoding, linemerge=true).
Do I need to use regex to grab these fields? I was really hoping to just import them into splunk and have it create the name : value pair into fields. My absolute last resort would be using python to convert these to json for splunk (not ideal).
Here is a snippet of the config file I'm trying to get splunk to recognize:
<?xml version="1.0" encoding="UTF-8"?>
<Jabber>
<userConfig name="somename" value="true"/>
<userConfig name="stores" value="filename:24:filename2:76"/>
...
</Jabber>
As far as you have entire XML data extracted (field extraction or rex) you can use spath or xpath to extract the fields of your choice. Following is a run-anywhere search based on your sample data:
| makeresults
| eval xmlData="
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<Jabber>
<userConfig name=\"somename\" value=\"true\"/>
<userConfig name=\"stores\" value=\"filename:24:filename2:76\"/>
</Jabber>
"
| spath input=xmlData path=Jabber.userConfig{@name} output=names
| spath input=xmlData path=Jabber.userConfig{@value} output=values
| spath input=xmlData path=Jabber.userConfig{1}{@name} output=name1
| spath input=xmlData path=Jabber.userConfig{1}{@value} output=value1
| table names values name1 value1 xmlData
Refer to spath documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
Thanks, that works great for the statistics tab, but the events view is still one big xml and fields aren't extracting at all. I'm going to try a few other settings to see if splunk will just recognize the KV pair. I suppose I could evaluate for conditions off of your solution, but that seems overly complex for what I'm trying to do.
Here is what I used after the raw data search (works great for a table):
| spath path=Jabber.userConfig{@name} output=names | spath path=Jabber.userConfig{@value} output=values | table names values