topic Re: extract only xml part from an event in Splunk Search

extract only xml part from an event

eranhauser — Fri, 22 Mar 2024 13:45:54 GMT

Hi,
my event has unstructured data i.e. few strings than xml part than few more strings and another xml follow by few more strings.
How do I extract only the xml parts from the event when there is no pattern to the string i.e. number of lines before and after the xml nor the string content has a pattern.

Re: extract only xml part from an event

richgalloway — Fri, 22 Mar 2024 15:43:45 GMT

We need more information. Are you trying to extract at search time or index time? Are you trying keep the XML or discard it? Please share a sanitized sample event or two.

Re: extract only xml part from an event

eranhauser — Fri, 22 Mar 2024 16:07:42 GMT

I am trying to get values from xml part of an event. The event starts with few lines than it has xml part, after that few more lines and another xml part. I want to extract at first only the parts of the event that are in xml format.

Re: extract only xml part from an event

isoutamo — Fri, 22 Mar 2024 17:24:02 GMT

until you give some sample data to us, it’s hard to tell exactly how to do it. Here is some ideas how to proceed with this case

... | rex "....(?<yourXML>....until it ends)...." | fields _time yourXML | xmlkv maxinputs=99999 yourXML ....

r. Ismo

Re: extract only xml part from an event

eranhauser — Fri, 22 Mar 2024 18:35:28 GMT

it loos like
this is the first line
this is the second line

<!DOCTYPE....>

......... the rest of the xml is here

this is the third line

<!DOCTYPE...>

.......rest of the xml is here

this is the fourth line

this is the fifth line

Re: extract only xml part from an event

isoutamo — Fri, 22 Mar 2024 18:38:07 GMT

Is there any word or some token how you know where first xml part will ends or is it just end of line and then 3rd line is some other text?