I am new to Splunk and have been reading as much as I can, but I cannot figure this out. Trying to wrap my head around regex. I have some xml data as below. Splunk only identifies the first values of bi, o, pb, pool, amt, mode. I need to work with each of these. Would you please help me make these multi-valued? Thank you.
Board 3 Msg # 90962 19-JAN-2013 12:45:34.51 msg length = 871
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sorry for the delayed response. Thank you both for trying to help, it is greatly appreciated. There are more issues with my data than I thought. I was working with a friend who has more experience with Splunk and he helped me get a decent start. Unfortunately, now I have issues with line breaking. I am trying to index the above type messages from a txt file. In the txt file it it looks like.
Board 3 stuff
XML stuff
Board 3 stuff
XML stuff
Where each event is within one line separated by the "Board 3..." stuff. He helped me over come this using the following props.conf:
[horsexml]
#TIME_PREFIX = Board\s\d+\s+\w+\s#\s+\d+\s+
#TIME_FORMAT = %d-%b-%Y %H:%M:%S.%2N
LINE_BREAKER = (Board[\s\d\w#-:=\]+)|(\x3)
SHOULD_LINEMERGE = false
KV_MODE = xml
#REPORT-xmlext = xml-extr
Unfortunately, there exist "returns" within each line begun with
Board 3 Msg # 24830 19-JAN-2013 08:47:01.13 msg length = 855
SesDate="2013-01-19" RaceDate="2013-01-19" PTyp=" $" />
turfC="YIELDING" typ="A" Total="0.00">
o=" 30" pb="35.40" />
bi="7" o=" 5" pb="6.50" />
l pool="TRI" amt="937.58" mode="N" />
ol="SPR" amt="800.76" mode="N" />
Board 3 Msg # 24944 19-JAN-2013 08:47:36.09 msg length = 855
SesDate="2013-01-19" RaceDate="2013-01-19" PTyp=" $" />
turfC="YIELDING" typ="A" Total="0.00">
o=" 30" pb="35.50" />
bi="7" o=" 5" pb="6.40" />
l pool="TRI" amt="949.05" mode="N" />
ol="SPR" amt="808.82" mode="N" />
Please note the truncation of "total" and "pool" near the end of these examples down to "tota" and "po". So this results in Splunk producing a few incorrect fields. For example:
msg.WO_data.feature.tota{@l}{@pool}
which should be
msg.WO_data.feature.total{@pool}
and
msg.WO_data.feature.total{@po}{@ol}
which should be
msg.WO_data.feature.total{@pool}
I thought adding adding a SHOULD_LINEMERGE=true should work but I have not figured it out. It either merges everything into one event, or when I prevent that it does not merge these lines to prevent the truncation.
I also tried adding a TRUNCATE option, but Splunk is not the one truncating so thats not the issue. Any thoughts? Thanks again for your effort and help.
Try using spath
or setting the KV_MODE=xml
for your sourcetype which will parse your xml for you.
This'll give you multi-value fields:
... | spath output=bi path=msg.wo_data.oddsdata.entry{@bi} | spath output=o path=msg.wo_data.oddsdata.entry{@o} | spath output=pb path=msg.wo_data.oddsdata.entry{@pb} | spath output=pool path=msg.wo_data.feature.total{@pool} | spath output=amt path=msg.wo_data.feature.total{@amt} | spath output=mode path=msg.wo_data.feature.total{@mode}