topic Re: How to write the regex to extract a field from XML data if the field is not completely XML? in Splunk Search

How to write the regex to extract a field from XML data if the field is not completely XML?

jameskerivan — Mon, 04 Jan 2016 22:19:24 GMT

I have a field which I would like to extract a field from the XML being displayed. The only problem is the field is not completely XML. I am not allowed to post an example, but basically I want to extract something that looks like:

Event xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"><ns2:behaviorVersion>0</ns2:behaviorVersion><triggers><channelId>0055</channelId><clientVersion>3</clientVersion></triggers><eventInfo><bos:instanceId>000121481</bos:instanceId><bos:serverName>1</bos:serverName><bos:implementationName>TransferStarted</bos:implementationName>

And I would like to grab TransferStarted in between the two tags <bos:implementationName> and </bos:implementationName>.

I have worked with regex in the past, but am still not confident. Any help would be much appreciated and Happy New Year!

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

sundareshr — Mon, 04 Jan 2016 23:14:33 GMT

Have you tried this

implementationName\>(\w+)\<

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

jameskerivan — Mon, 04 Jan 2016 23:44:34 GMT

Yes this is what I want. Right now I am doing

base query | rex field=F "(?.*)implementationName\>(\w+)\<" | stats count by preName | sort count desc

But this is providing me with everything before implementationName as I specified. How would I extract that field? The way I see the regex working is it matches implementationName and looks for the characters > < for opening and closing of the value I want. Do I need to specify a variable for that value?

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

sundareshr — Mon, 04 Jan 2016 23:59:50 GMT

Try this, assuming preName is the name you want for that field.

"implementationName>(?<preName>w+)<"

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

sundareshr — Tue, 05 Jan 2016 00:00:32 GMT

There should be a backslash before "w+"

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

jameskerivan — Tue, 05 Jan 2016 00:44:19 GMT

So the stats that it gives me is very confusing. Here is my query :

base query | rex field=F "implementationName>(?<preName>\w+)<" | stats count by preName | sort count desc

This is giving me a very small amount of the implemenationNames but it does not give them all. For example TransferStarted did not get counted in my stats but if I look in the events I can see it. Am I missing something?

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

sundareshr — Tue, 05 Jan 2016 00:58:22 GMT

If there is more than 1 occurrence of the preName in one event, you should add max_match=0 to the rex command and used multi-value functions to get the right result

Re: How to write the regex to extract a field from XML data if the field is not completely XML?

jameskerivan — Tue, 05 Jan 2016 20:12:06 GMT

Thank you very much. You have been so helpful. The problem I am coming across is with the way we are logging. Your query is correct!