topic Re: Replacing Xml header at search time in Splunk Search

Replacing Xml header at search time

DataOrg — Fri, 09 Oct 2020 12:41:02 GMT

i want to remove the header tag in the xml during search time as it was not properly quoted also,

please help with the command

Have to remove this tag from data durring search time

<?xml version=1.0 encoding=utf-8?>

<?xml version=1.0 encoding=utf-8?><Material><ID>1</ID><Equip>001</Equip><Date>20201009</Date><Posting>20201009</Posting>

Re: Replacing Xml header at search time

ITWhisperer — Fri, 09 Oct 2020 12:52:48 GMT

| rex mode=sed "s/\<\?xml version=1\.0 encoding=utf-8\?\>//g"

Re: Replacing Xml header at search time

to4kawa — Fri, 09 Oct 2020 12:56:50 GMT

index=_internal | head 1 | fields _raw _time | eval _raw="<?xml version=1.0 encoding=utf-8?><Material><ID>1</ID><Equip>001</Equip><Date>20201009</Date><Posting>20201009</Posting>" | xmlkv

how about this?

Re: Replacing Xml header at search time

DataOrg — Fri, 09 Oct 2020 13:01:58 GMT

I dont need transformation, i just need to remove the header

Re: Replacing Xml header at search time

ITWhisperer — Fri, 09 Oct 2020 13:03:49 GMT

That's what the mode=sed does in my response

Re: Replacing Xml header at search time

DataOrg — Fri, 09 Oct 2020 13:44:29 GMT

i need to remove only the xml header but i need the <ProductionPerformance> tag
< xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401>

Re: Replacing Xml header at search time

to4kawa — Fri, 09 Oct 2020 13:53:08 GMT

index=_internal | head 1 | fields _raw _time | eval _raw="<ProductionPerformance xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401>" | rex mode=sed "s/xmlns.*>/>/"

Re: Replacing Xml header at search time

DataOrg — Fri, 09 Oct 2020 14:05:21 GMT

@to4kawa it removes other upcoming data tags also, i just want to remove xmls content from the <ProductionPerformance> tag

Input event:

<EventData><ProductionPerformance xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401></ProductionPerformance> <date>21/1/2020</date> <Message>Hello</Message> </EventData>

Output i want as

<EventData><ProductionPerformance></ProductionPerformance> <date>21/1/2020</date> <Message>Hello</Message> </EventData>

Re: Replacing Xml header at search time

kamlesh_vaghela — Fri, 09 Oct 2020 14:06:08 GMT

Hello @DataOrg

You can have your required part of data during search time by adding below configuration in props.conf.

[YouR_stanZa] EXTRACT-myData = ^[^>\n]*>(?P<myData>.+)

If in case you want it to be at index time you can use below configuration also.

[YouR_stanZa] SEDCMD-a=s/(^[^>\n]*>)//g

I hope this will help you. 🙂

Please let me know if you have some special scenario.

Happy Splunking

🙂

Re: Replacing Xml header at search time

ITWhisperer — Fri, 09 Oct 2020 14:12:21 GMT

| rex mode=sed "s/\sxmlns(|:\w+)=[^\s\>]+//g"