hello splunk
i have a question that About extracting by specifying sourcetype in props.conf.
i want parsing xml data that Xml data received in response
but that data is not parsing
this is my develop environment
1. use REST API
- use REST API modular input
- Every 300 seconds https call setting
- index=main sourcetype=ex_st
- install in heavy Forwarder
I knew why it was not automatically parsed and I solved it.
The reason it has not been parsed is that the XML data passed to the response is so large that the event is restricted and the XML structure is corrupted.
i modified the "TRUNCATE" setting to include all the XML data in one event so that it was automatically parsed.
Here is the props.conf configuration.
[xml_data]
KV_MODE = xml
# BREAK_ONLY_BEFORE = \<data_list_wrap
BREAK_ONLY_BEFORE = \ <\? Xml version = \ "1 \ .0 \" encoding = \ "UTF-8 \" \?
SHOULD_LINEMERGE = true
TRUNCATE = 70000
I knew why it was not automatically parsed and I solved it.
The reason it has not been parsed is that the XML data passed to the response is so large that the event is restricted and the XML structure is corrupted.
i modified the "TRUNCATE" setting to include all the XML data in one event so that it was automatically parsed.
Here is the props.conf configuration.
[xml_data]
KV_MODE = xml
# BREAK_ONLY_BEFORE = \<data_list_wrap
BREAK_ONLY_BEFORE = \ <\? Xml version = \ "1 \ .0 \" encoding = \ "UTF-8 \" \?
SHOULD_LINEMERGE = true
TRUNCATE = 70000
Is that XML above an example of what you want to be indexed ?
yes.
i want parsing event from that one xml data
like this :
----------1st evnet ----------
data
...(skip)
/data
----------2nd evnet ----------
data
...(skip)
/data