Re: Is there a way in Splunk Web to not import cer...

splunk2day · ‎07-05-2018

I'm trying import an xml and using Line_breakers and such I could get clean events that have my data of interest. Rest of the xml tags (broken events) I want to get rid of during import. Is there a way to do this?! Thanks!

niketn · ‎07-06-2018

@splunk2day give us more detail of your XML data. Since this kind of filtering will be based on Regular Expression we would need the sample of XML to find start and end pattern of data to index and data to drop from the same event.

Refer to the following Documentation to Discard specific events and keep the rest and Keep specific events and discard the rest

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

splunk2day · ‎07-09-2018

Thanks! While this does . provide some inkling, it's not a complete solution as I'm using the web and not entirely sure how this applies to the web, during manual import. My xml data looks like below -

I'm only interested in the part between the attributes tags, rest everything i want to filter out. I'm able to break it into meaningful events for me and just looking for the filter out way to i can totally eliminate having to import the meta data.

*** . unable to post xml here - it all formats funny ****
hopefully this gives u some idea

metadata tags level 1
metadata tags level 2
metadata tags level 3
xml fragment of interested that i can extract
closing and reopening meta data tags to my data of interest can repeat that i want to get rid of for a cleaner event imports ..

woodcock · ‎07-09-2018

You can easily post XML by pasting it, highlighting it and clicking on the 1010101 "code" button in the style/editor ribbon above your text window.

Is there a way in Splunk Web to not import certain events?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!