topic Simplifying event displays in Splunk Search

Simplifying event displays

rdb_splunk — Thu, 13 Dec 2012 18:47:50 GMT

Hi there,

I have XML logs that I bring into spunk. Unfortunately, there is far too much not required information for me to go through,

eg, an event will contain,

2 12/12/12 3:53:39.945 PM
2012.12.12 20:53:39.945 GMT1355345619945America/New_York02012.12.12 20:53:39.945 GMT135534561994546985burl-cap28996AvidLicenseServiceFINERDoing Overdue Cleanup task...42Overdue Cleanup Threadcom.avid.workgroup.license.service.provider.behaviorcom.avid.workgroup.license.service.provider.behavior.LicenseRequest$OverdueCleanupTaskrun

I really want to filter it down to

2012.12.12 20:53:39.945 GMTburl-cap2AvidLicenseServiceFINERDoing Overdue Cleanup task...<com.avid.workgroup.license.service.provider.behaviorcom.avid.workgroup.license.service.provider.behavior.LicenseRequest$OverdueCleanupTask<

As you can see, a lot less detail.

Anyone have any ideas - thanks

Re: Simplifying event displays

jonuwz — Thu, 13 Dec 2012 22:20:19 GMT

Yep.

You can write a sed filter to alter the event before its indexed.
I assume this is what you want.
DISCLAIMER - the original event is lost for good, you can't get back the data you strip out.

Put this in your props.conf under a stanza that represents this sourcetype/source/whatever

change 'date|hostname|level|message' to be the list of fields you want to keep.

SEDCMD-reduce_xml = s/(?:(?!<record>)<((?!(?:date|hostname|level|message)>)[^>]+)>.*?<\/\1>)|<\/?record>//g

You'll need to restart splunk for the change to take effect

Re: Simplifying event displays

Ayn — Thu, 13 Dec 2012 22:27:08 GMT

If you're just doing this because you want to browse through events more easily and don't want to actually lose any data, another route you could take is to extract the XML values to fields (have a look at the xmlkv and spath commands), and then use table to show only the fields in the XML events that you're interested in.