user3868561
Reputation: 11
dumping XML log files into Splunk
I want to dump the following XML log file in Splunk keeping in mind the fact that it should give all the tags as a fields such that I could search the events where
Text="Application: Directory started" Category="BIG" Module="WorkflowHost"
What should I write in props.conf
<Message>
<ID>
b476f836-36dd-4c30-9a8e-0587c5d34b8d-
</ID>
<Date>
2014-01-09 10:45:31.69
</Date>
<Text>
Application: Directory started
</Text>
<Category>
BIG
</Category>
<Source>
Workflow
</Source>
<Level>
Event
</Level>
<Class>
General
</Class>
<Module>
WorkflowHost
</Module>
<LineNumber>
0
</LineNumber>
<ProcessID>
5420
</ProcessID>
<User>
e2ac3262e9b9d03f
</User>
</Message>
<Message>
<ID>
b476f836-36dd-4c30-9a8e-0587c5d34b8d
</ID>
<Date>
2014-01-09 10:45:41.57
</Date>
<Text>
Application: PatientDirectory started
</Text>
<Category>
BIG
</Category>
<Source>
PatientDirectory
</Source>
<Level>
Event
</Level>
<Class>
General
</Class>
<Module>
PatientDirectory
</Module>
<LineNumber>
0
</LineNumber>
<ProcessID>
2180
</ProcessID>
<User>
e2ac3262e9b9d03f
</User>
</Message>
PLs help....:)
Upvotes: 1
Views: 4165
Answers (1)
Jon Webster
Reputation: 171
In your props.conf stanza for the sourcetype you're indexing, add
KV_MODE=xml
This will automatically extract all the fields and values.
You can find more details in the props.conf file documentation here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/propsconf
Upvotes: 1
Related Questions
- Extract data from splunk
- Using Splunk rex to extract String from logs
- How to parse information from a log message in splunk
- Local Log Analyzer Tool
- Need a regex command to find a value in an xml file
- Create regular expression using the rex command in Splunk to return xml child elements
- Splunk Custom Log format Parsing
- Is it possible to parse dynamic xml-structured log contents with Grok?
- Splunk splitting xml log event
- Splunk java sdk return XML