How do I parse this XML output into Splunk?
<configResolveClass cookie="1465464629/12a64fe8-34d5-14d5-8038-86f9029bca70" response="yes" classId="faultInst">
<outConfigs>
<faultInst ack="yes" cause="equipment-degraded" code="F0997" created="Thu Jan 7 20:29:58 2016" descr="Storage Raid Battery SLOT-3 Degraded: please check the battery or the storage controller" affectedDN="sys/rack-unit-1/board/storage-SAS-SLOT-3/raid-battery" highestSeverity="critical" id="3539993344" lastTransition="Thu Jan 7 19:46:32 2016" lc="flapping" occur="45" origSeverity="cleared" prevSeverity="cleared" rule="fltStorageRaidBatteryDegraded" severity="minor" tags="storage" type="server" dn="sys/rack-unit-1/board/storage-SAS-SLOT-3/raid-battery/fault-F0997" />
</outConfigs>
</configResolveClass>
Currently Splunk treats the whole chunk as a block. Here is my props.conf:
[ciscofaults]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = <faultInst
MUST_BREAK_AFTER = </faultInst>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
Do you want to just pull out the key value pairs or parse the actual XML or both?
This will at least pull out the key-value pairs:
[ciscofaults]
BREAK_ONLY_BEFORE = </faultInst>
DATETIME_CONFIG =
LINE_BREAKER = <faultInst
NO_BINARY_CHECK = true
category = Custom
kv_mode = auto
pulldown_type = true
Do you want to just pull out the key value pairs or parse the actual XML or both?
This will at least pull out the key-value pairs:
[ciscofaults]
BREAK_ONLY_BEFORE = </faultInst>
DATETIME_CONFIG =
LINE_BREAKER = <faultInst
NO_BINARY_CHECK = true
category = Custom
kv_mode = auto
pulldown_type = true
Thanks for the replies. I'd like to also parse the actual XML. This does pull out the KV pairs..
This works quite well actually. This is what I need. Thanks for the assistance and the knowledge.
Is your data coming into the sourcetype ciscofaults?
Is this props.conf file on an Indexer or Heavy Forwarder?
Keep in mind MUST_BREAK_AFTER will only be applied if SHOULD_LINEMERGE=true so you don't need the MUST_BREAK_AFTER line.
You're probably going to need a different LINE_BREAKER command. Can you post the raw events of a couple events?