Getting Data In

Can you help me with Palo LINE_BREAKER?

spattenqt
Explorer

I'm trying to pull in some information via REST and can't seem to figure out the LINE_BREAKER. Maybe I've been staring at the screen too much today!

Example:

<response status="success">
<script/>
<result>
<devices>
<entry name="013201000081">
  <serial>013201000081</serial>
  <connected>yes</connected>
  <unsupported-version>no</unsupported-version>
  <hostname>DDDDDDDDDDDD02P</hostname>
  <ip-address>11.11.111.111</ip-address>
  <uptime>18 days, 6:12:34</uptime>
  <family>5200</family>
  <model>PA-5220</model>
  <sw-version>8.0.10</sw-version>
  <app-version>8064-4985</app-version>
  <av-version>2737-3244</av-version>
  <wildfire-version>280074-282665</wildfire-version>
  <threat-version>8064-4985</threat-version>
  <url-db>paloaltonetworks</url-db>
  <url-filtering-version>20180914.80216</url-filtering-version>
  <logdb-version>8.0.16</logdb-version>
  <global-protect-client-package-version>0.0.0</global-protect-client-package-version>
  <domain/>
  <ha>
    <state>passive</state>
    <peer>
        <serial>013201004595</serial>
    </peer>
  </ha>
  <vpn-disable-mode>no</vpn-disable-mode>
  <operational-mode>normal</operational-mode>
  <certificate-status/>
  <certificate-subject-name>013201000081</certificate-subject-name>
  <certificate-expiry>2028/08/28 17:40:55</certificate-expiry>
  <connected-at>2018/08/30 09:14:30</connected-at>
  <custom-certificate-usage>no</custom-certificate-usage>
  <multi-vsys>no</multi-vsys>
  <vsys>
    <entry name="vsys1">
      <display-name>vsys1</display-name>
      <shared-policy-status/>
      <shared-policy-md5sum>8afc8500662247516786c9fb70c36607</shared-policy-md5sum>
    </entry>
  </vsys>
</entry>
<entry name="009401111180">
  <serial>009401111180</serial>
  <connected>yes</connected>
  <unsupported-version>no</unsupported-version>
  <hostname>AAAAAAA01P</hostname>
  <ip-address>10.10.100.100</ip-address>
  <mac-addr/>
  <uptime>67 days, 20:05:19</uptime>
  <family>500</family>
  <model>PA-500</model>
  <sw-version>8.0.10</sw-version>
  <app-version>8064-4985</app-version>
  <av-version>2737-3244</av-version>
  <wildfire-version>280074-282665</wildfire-version>
  <threat-version>8064-4985</threat-version>
  <url-db>paloaltonetworks</url-db>
  <url-filtering-version>20180917.20244</url-filtering-version>
  <logdb-version>8.0.16</logdb-version>
  <vpnclient-package-version/>
  <global-protect-client-package-version>0.0.0</global-protect-client-package-version>
  <domain/>
  <vpn-disable-mode>no</vpn-disable-mode>
  <operational-mode>normal</operational-mode>
  <certificate-status/>
  <certificate-subject-name>009401111180</certificate-subject-name>
  <certificate-expiry>2027/06/15 16:46:08</certificate-expiry>
  <connected-at>2018/08/16 10:23:37</connected-at>
  <custom-certificate-usage>no</custom-certificate-usage>
  <multi-vsys>no</multi-vsys>
  <vsys>
    <entry name="vsys1">
    <display-name>vsys1</display-name>
    <shared-policy-status/>
    <shared-policy-md5sum>05c64ee28115fd234f79d606912f2e11</shared-policy-md5sum>
    </entry>
  </vsys>
</entry>
<entry name="011111001100">...</entry>
  <entry name="011111001100">
  <serial>011111001100</serial>
  <connected>yes</connected>
  <unsupported-version>no</unsupported-version>
  <hostname>ABC1111A01Q</hostname>
  <ip-address>22.222.222.222</ip-address>
  <mac-addr/>
  <uptime>46 days, 21:21:19</uptime>
  <family>220</family>
  <model>PA-220</model>
  <sw-version>8.0.10</sw-version>
  <app-version>8064-4985</app-version>
  <av-version>2679-3176</av-version>
  <wildfire-version>263191-265719</wildfire-version>
  <threat-version>8064-4985</threat-version>
  <url-db>paloaltonetworks</url-db>
  <url-filtering-version>0000.00.00.000</url-filtering-version>
  <logdb-version>8.0.16</logdb-version>
  <vpnclient-package-version/>
  <global-protect-client-package-version>0.0.0</global-protect-client-package-version>
  <domain/>
  <vpn-disable-mode>no</vpn-disable-mode>
  <operational-mode>normal</operational-mode>
  <certificate-status/>
  <certificate-subject-name>011111001100</certificate-subject-name>
  <certificate-expiry>2028/06/28 21:18:23</certificate-expiry>
  <connected-at>2018/09/17 14:16:29</connected-at>
  <custom-certificate-usage>no</custom-certificate-usage>
  <multi-vsys>no</multi-vsys>
    <vsys>
    <entry name="vsys1">
    <display-name>vsys1</display-name>
    <shared-policy-status/>
    <shared-policy-md5sum>30ea477bf4d60197513c682029fd4f41</shared-policy-md5sum>
    </entry>
  </vsys>
</entry>
<entry name="418511332ABC111">
  <serial>418511332ABC111</serial>
  <connected>yes</connected>
  <unsupported-version>no</unsupported-version>
  <deactivated>no</deactivated>
  <hostname>AQCEW12FRAB01T</hostname>
  <ip-address>22.33.55.55</ip-address>
  <mac-addr/>
  <uptime>46 days, 15:09:27</uptime>
  <family>vm</family>
  <model>PA-VM</model>
  <sw-version>7.1.18</sw-version>
  <app-version>8064-4985</app-version>
  <av-version>2737-3244</av-version>
  <wildfire-version>280072-282663</wildfire-version>
  <threat-version>8064-4985</threat-version>
  <url-db>paloaltonetworks</url-db>
  <url-filtering-version>20180917.20242</url-filtering-version>
  <logdb-version>7.0.9</logdb-version>
  <vpnclient-package-version/>
  <global-protect-client-package-version>0.0.0</global-protect-client-package-version>
  <domain/>
  <vm-mode-type>yes</vm-mode-type>
  <is-dhcp>yes</is-dhcp>
  <vpn-disable-mode>no</vpn-disable-mode>
  <operational-mode>normal</operational-mode>
  <certificate-status/>
  <certificate-subject-name>418511332ABC111</certificate-subject-name>
  <certificate-expiry>2027/05/17 22:08:14</certificate-expiry>
  <connected-at>2018/08/23 08:18:17</connected-at>
  <custom-certificate-usage>no</custom-certificate-usage>
  <multi-vsys>no</multi-vsys>
  <vsys>
    <entry name="vsys1">
    <display-name>vsys1</display-name>
    <shared-policy-status/>
    <shared-policy-md5sum>3968de60f644f99a912fae048bd9c176</shared-policy-md5sum>
    </entry>
  </vsys>
</entry>
</result>
</response>
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try LINE_BREAKER = ([\r\n]+)<entry.

---
If this reply helps you, Karma would be appreciated.
0 Karma

spattenqt
Explorer

No joy, still comes through as a blob of data.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...