Dashboards & Visualizations

Avaya System Manager CDR XML formating

StuReeves
Explorer

Hi hope someone can help. I'm new to Splunk and can see it's potential for what I require, but I'm struggling to get some XML's to format correctly. I've looked at loads of example answers, but none of them see to make the xml easily readable, I've a feeling when trying to apply examples, because the word "call" appears so often, it's messing up the result. I've trying multiple examples in props.conf and transforms.conf, but seems to have little effect
What I'm trying to achieve is the info between <call> and </call> (not calls and calls) to appear on an combined line and "discard" the rest. At the moment it all seems to be a little bit all over the place.
Any help would be really, really appreciated.
Hopefully once I can get the basics done, I can progress onto a nice set up anyone can use.

<?xml version="1.0"?>
<calls>
    <call>
        <call_time>2017-03-27T15:46:38+01:00</call_time>
        <duration>PT50.189S</duration>
        <condition_code>9</condition_code>
        <parties>
            <dialed_number>0063123456789@NNN.com</dialed_number>
            <calling_number>0112456789@NNN.com</calling_number>
        </parties>
        <sip_entities>
            <terminating>NNNLISBCE</terminating>
            <originating>UKDCNNNNNNN</originating>
        </sip_entities>
        <feature_flag>4</feature_flag>
        <bcc>M</bcc>
        <ma_uui>0</ma_uui>
        <resource_flag>0</resource_flag>
        <bandwidth>1</bandwidth>
        <av_gsid>007651bf-NNNN-4701-NNNN-57c36b590000</av_gsid>
        <ip_addresses>
            <calling>192.0.0.50</calling>
            <called>192.0.0.51</called>
        </ip_addresses>
        <usage>
            <voice>Y</voice>
            <video>N</video>
            <fax>N</fax>
            <text>N</text>
            <other>N</other>
        </usage>
        <codec>8</codec>
        <tenant_ids>
            <calling></calling>
            <called></called>
        </tenant_ids>
    </call>
    <call>
        <call_time>2017-03-27T15:46:53+01:00</call_time>
        <duration>PT19.737S</duration>
        <condition_code>9</condition_code>
        <parties>
            <dialed_number>*0123456789@NNN.com:5060</dialed_number>
            <calling_number>0987654321@192.0.0.52:19937</calling_number>
        </parties>
        <sip_entities>
            <terminating>UKDCNNNNNN</terminating>
            <originating>RONNNNNNN</originating>
        </sip_entities>
        <feature_flag>4</feature_flag>
        <bcc>M</bcc>
        <ma_uui>0</ma_uui>
        <resource_flag>0</resource_flag>
        <bandwidth>1</bandwidth>
        <av_gsid>2a774e90-NNNN-11e7-NNNNN-f8bc125544b0</av_gsid>
        <ip_addresses>
            <calling>192.0.0.50</calling>
            <called>192.0.0.55</called>
        </ip_addresses>
        <usage>
            <voice>Y</voice>
            <video>N</video>
            <fax>N</fax>
            <text>N</text>
            <other>N</other>
        </usage>
        <codec>8</codec>
        <tenant_ids>
            <calling></calling>
            <called></called>
        </tenant_ids>
    </call>
        </call>
</calls>
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Use this:

LINE_BREAKER = (<\/call>[\r\n\s]+<call>[\r\n\s]+)

You can use the spath command to get the values that you want. See the xml examples towards the bottom.

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Spath

You can also have Splunk extract all fields automatically for you:

http://splunk-base.splunk.com/answers/2889/automatically-extract-xml-key-value-pairs

View solution in original post

0 Karma

StuReeves
Explorer

I'd thought I'd drop an example search I've done for this that formats some of the output, as it can get a little mangled. I'm still getting my head around how Splunk works, but I hope it helps someone.

<basesearch> | replace *T* with "* *" in call_time |replace PT*H*M*S with "* Hours * Minutes * Seconds" in duration|replace PT*M*S with "* Minutes * Seconds" in duration | replace PT*.* with "*.* Seconds"
0 Karma

woodcock
Esteemed Legend

Use this:

LINE_BREAKER = (<\/call>[\r\n\s]+<call>[\r\n\s]+)

You can use the spath command to get the values that you want. See the xml examples towards the bottom.

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Spath

You can also have Splunk extract all fields automatically for you:

http://splunk-base.splunk.com/answers/2889/automatically-extract-xml-key-value-pairs

0 Karma

StuReeves
Explorer

Thanks for getting back so quickly but it hasn't solved my issues (unless I'm missing something). I created a new props.conf and entered the line.
I may be misunderstanding how it should display, but this is what I currently get output on a raw search.

https://goo.gl/photos/ry5jtXkdRh4Dt1wg7

0 Karma

woodcock
Esteemed Legend

You need make sure that you also set SHOULD_LINEMERGE = false. You need to deploy this to your Indexers and restart splunk there. Even then, only events forwarded AFTER the restarts will show correctly; previously indexed events will always stay broken (<- literally).

0 Karma

StuReeves
Explorer

Thank you so much. That's done the trick perfectly. I need to get rid of the XML lines, but I'm pretty sure I've seen that somewhere else, so I'll give it a bash first. Even with it in there, it's prefectly usable and now I can crack on getting the data I need set up.
Once again, thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...