Dashboards & Visualizations

XML multi-value help

glihon
New Member

I am new to Splunk and have been reading as much as I can, but I cannot figure this out. Trying to wrap my head around regex. I have some xml data as below. Splunk only identifies the first values of bi, o, pb, pool, amt, mode. I need to work with each of these. Would you please help me make these multi-valued? Thank you.


Board 3 Msg # 90962 19-JAN-2013 12:45:34.51 msg length = 871






















~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sorry for the delayed response. Thank you both for trying to help, it is greatly appreciated. There are more issues with my data than I thought. I was working with a friend who has more experience with Splunk and he helped me get a decent start. Unfortunately, now I have issues with line breaking. I am trying to index the above type messages from a txt file. In the txt file it it looks like.

Board 3 stuff

XML stuff

Board 3 stuff

XML stuff

Where each event is within one line separated by the "Board 3..." stuff. He helped me over come this using the following props.conf:

[horsexml]
#TIME_PREFIX = Board\s\d+\s+\w+\s#\s+\d+\s+
#TIME_FORMAT = %d-%b-%Y %H:%M:%S.%2N
LINE_BREAKER = (Board[\s\d\w#-:=\]+)|(\x3)
SHOULD_LINEMERGE = false
KV_MODE = xml
#REPORT-xmlext = xml-extr

Unfortunately, there exist "returns" within each line begun with after 133 characters. So instead of one straight line of xml code Splunk sees something like this





Board 3 Msg # 24830 19-JAN-2013 08:47:01.13 msg length = 855



SesDate="2013-01-19" RaceDate="2013-01-19" PTyp=" $" />
turfC="YIELDING" typ="A" Total="0.00">
o=" 30" pb="35.40" />
bi="7" o=" 5" pb="6.50" />

l pool="TRI" amt="937.58" mode="N" />
ol="SPR" amt="800.76" mode="N" />



Board 3 Msg # 24944 19-JAN-2013 08:47:36.09 msg length = 855



SesDate="2013-01-19" RaceDate="2013-01-19" PTyp=" $" />
turfC="YIELDING" typ="A" Total="0.00">
o=" 30" pb="35.50" />
bi="7" o=" 5" pb="6.40" />

l pool="TRI" amt="949.05" mode="N" />
ol="SPR" amt="808.82" mode="N" />

Please note the truncation of "total" and "pool" near the end of these examples down to "tota" and "po". So this results in Splunk producing a few incorrect fields. For example:

msg.WO_data.feature.tota{@l}{@pool}
which should be
msg.WO_data.feature.total{@pool}

and

msg.WO_data.feature.total{@po}{@ol}
which should be
msg.WO_data.feature.total{@pool}

I thought adding adding a SHOULD_LINEMERGE=true should work but I have not figured it out. It either merges everything into one event, or when I prevent that it does not merge these lines to prevent the truncation.

I also tried adding a TRUNCATE option, but Splunk is not the one truncating so thats not the issue. Any thoughts? Thanks again for your effort and help.

Tags (2)
0 Karma

dart
Splunk Employee
Splunk Employee

Try using spath or setting the KV_MODE=xml for your sourcetype which will parse your xml for you.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This'll give you multi-value fields:

...  | spath output=bi path=msg.wo_data.oddsdata.entry{@bi} | spath output=o path=msg.wo_data.oddsdata.entry{@o} | spath output=pb path=msg.wo_data.oddsdata.entry{@pb} | spath output=pool path=msg.wo_data.feature.total{@pool} | spath output=amt path=msg.wo_data.feature.total{@amt} | spath output=mode path=msg.wo_data.feature.total{@mode}
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...