topic Re: Want to write rex in props to extract field from XML in Splunk Enterprise

Want to write rex in props to extract field from XML

abhaywdc — Wed, 27 Mar 2024 18:11:09 GMT

I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .

Ex:- <abc>WoW</abc> <xyz>SURE</xyz>

Now, both the lines are in the same event. I want to have two fields called "abc" and "xyz" with the corresponding value WoW and SURE.

Kindly help !!

Re: Want to write rex in props to extract field from XML

isoutamo — Wed, 27 Mar 2024 18:34:04 GMT

in splunk you can get it like

| makeresults | eval _raw = "Ex:- <abc>WoW</abc> <xyz>SURE</xyz>" ``` above prepare test event ``` | rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^<]+)<\\/xyz>"

A nice place to test those is regex101.com. Here is link to your case https://regex101.com/r/iBvAPm/1

When you are converting those for Splunk, usually there is need to add some additional escape character as splunk preprocessing that reg ex and remove some \ characters

r. Ismo

Re: Want to write rex in props to extract field from XML

Abhay — Thu, 28 Mar 2024 10:39:34 GMT

I appreciate your response here, but there are many xml tags in the event , as I mentioned in the example :

abc

xyz

So, you do not know what are the tags coming in the event, so it is dynamic.

My Field should be created dynamically with the tag's name and the corresponding value.

ex:- <abc>Wow</abc>

field name should not be hardcoded as "abc", it should take "abc" dynamically and the value should be "Wow"

Re: Want to write rex in props to extract field from XML

isoutamo — Thu, 28 Mar 2024 11:12:54 GMT

Is it possible to extract those xml parts 1st and then use xmlkv command to those?

Re: Want to write rex in props to extract field from XML

Abhay — Thu, 28 Mar 2024 11:15:26 GMT

We can't use xmlkv, customer will fire the index=indexname sourcetype=soucetypename and data should appear with all the fields extracted !!

the events are the combination of Non-XML and XML format.

From the Non-xml format we have the fields coming in but from the XML formats we dont have any fields.

Finally, we have to automate the extraction using the props.conf in the backend.

Re: Want to write rex in props to extract field from XML

isoutamo — Thu, 28 Mar 2024 15:18:50 GMT

Can you give any sanitized sample data?
It's enough that fields are extracted, but not need to index those in ingesting phase?