All Apps and Add-ons

Is it possible to use the xmlutils app to xml pretty print just ONE field, or part of a log?

jimdiconectiv
Path Finder

I have a case where log file include an straight text header in front of well form xml.

Here is an exmple:
2017-09-05T13:14:02.869Z, ap=695449, xml="well formed xml"

The Bold is the straight text in front of the XML.
Is it possible to use xmlutils to xml pretty print just a single field? Perhaps as a function?

One problem is exporting data, but keeping the time stamp and ap field.

I have been trying to work around this by incorporating the time stamp into a larger xml piece and am near to having that working, but I come up with data that web xml validators like, but that still blow up pretty print.

Doing the xml print on just a field is likely the best solution, if someone can help.

Using Splunk 6.5. xmlutils seems to have installed and be working okay.

Tags (2)
0 Karma
1 Solution

vbumgarner
Contributor

It does just pretty print one field, either the field "xml" or the field "_raw", in that order.

So, if you did something like:

query... | table _time ap xml | xmlprettyprint

The field xml would be pretty printed.

Unfortunately, you can't see it in a table in Splunk, because all white space is collapsed in a table view. You'd need to put the table on a dashboard and add some css to preserve the whitespace. The whitespace should survive in an export, though.

View solution in original post

0 Karma

vbumgarner
Contributor

It does just pretty print one field, either the field "xml" or the field "_raw", in that order.

So, if you did something like:

query... | table _time ap xml | xmlprettyprint

The field xml would be pretty printed.

Unfortunately, you can't see it in a table in Splunk, because all white space is collapsed in a table view. You'd need to put the table on a dashboard and add some css to preserve the whitespace. The whitespace should survive in an export, though.

0 Karma

jimdiconectiv
Path Finder

Thanks much! I am in process of trying this. I have a similar case with some JSONs. I also was able to get pretty printing via using fairly ugly sedcmds to turn the whole log into a single XML expression.

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...