Hi hope someone can help. I'm new to Splunk and can see it's potential for what I require, but I'm struggling to get some XML's to format correctly. I've looked at loads of example answers, but none of them see to make the xml easily readable, I've a feeling when trying to apply examples, because the word "call" appears so often, it's messing up the result. I've trying multiple examples in props.conf and transforms.conf, but seems to have little effect
What I'm trying to achieve is the info between <call>
and </call>
(not calls and calls) to appear on an combined line and "discard" the rest. At the moment it all seems to be a little bit all over the place.
Any help would be really, really appreciated.
Hopefully once I can get the basics done, I can progress onto a nice set up anyone can use.
<?xml version="1.0"?>
<calls>
<call>
<call_time>2017-03-27T15:46:38+01:00</call_time>
<duration>PT50.189S</duration>
<condition_code>9</condition_code>
<parties>
<dialed_number>0063123456789@NNN.com</dialed_number>
<calling_number>0112456789@NNN.com</calling_number>
</parties>
<sip_entities>
<terminating>NNNLISBCE</terminating>
<originating>UKDCNNNNNNN</originating>
</sip_entities>
<feature_flag>4</feature_flag>
<bcc>M</bcc>
<ma_uui>0</ma_uui>
<resource_flag>0</resource_flag>
<bandwidth>1</bandwidth>
<av_gsid>007651bf-NNNN-4701-NNNN-57c36b590000</av_gsid>
<ip_addresses>
<calling>192.0.0.50</calling>
<called>192.0.0.51</called>
</ip_addresses>
<usage>
<voice>Y</voice>
<video>N</video>
<fax>N</fax>
<text>N</text>
<other>N</other>
</usage>
<codec>8</codec>
<tenant_ids>
<calling></calling>
<called></called>
</tenant_ids>
</call>
<call>
<call_time>2017-03-27T15:46:53+01:00</call_time>
<duration>PT19.737S</duration>
<condition_code>9</condition_code>
<parties>
<dialed_number>*0123456789@NNN.com:5060</dialed_number>
<calling_number>0987654321@192.0.0.52:19937</calling_number>
</parties>
<sip_entities>
<terminating>UKDCNNNNNN</terminating>
<originating>RONNNNNNN</originating>
</sip_entities>
<feature_flag>4</feature_flag>
<bcc>M</bcc>
<ma_uui>0</ma_uui>
<resource_flag>0</resource_flag>
<bandwidth>1</bandwidth>
<av_gsid>2a774e90-NNNN-11e7-NNNNN-f8bc125544b0</av_gsid>
<ip_addresses>
<calling>192.0.0.50</calling>
<called>192.0.0.55</called>
</ip_addresses>
<usage>
<voice>Y</voice>
<video>N</video>
<fax>N</fax>
<text>N</text>
<other>N</other>
</usage>
<codec>8</codec>
<tenant_ids>
<calling></calling>
<called></called>
</tenant_ids>
</call>
</call>
</calls>
Use this:
LINE_BREAKER = (<\/call>[\r\n\s]+<call>[\r\n\s]+)
You can use the spath command to get the values that you want. See the xml examples towards the bottom.
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Spath
You can also have Splunk extract all fields automatically for you:
http://splunk-base.splunk.com/answers/2889/automatically-extract-xml-key-value-pairs
I'd thought I'd drop an example search I've done for this that formats some of the output, as it can get a little mangled. I'm still getting my head around how Splunk works, but I hope it helps someone.
<basesearch> | replace *T* with "* *" in call_time |replace PT*H*M*S with "* Hours * Minutes * Seconds" in duration|replace PT*M*S with "* Minutes * Seconds" in duration | replace PT*.* with "*.* Seconds"
Use this:
LINE_BREAKER = (<\/call>[\r\n\s]+<call>[\r\n\s]+)
You can use the spath command to get the values that you want. See the xml examples towards the bottom.
http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Spath
You can also have Splunk extract all fields automatically for you:
http://splunk-base.splunk.com/answers/2889/automatically-extract-xml-key-value-pairs
Thanks for getting back so quickly but it hasn't solved my issues (unless I'm missing something). I created a new props.conf and entered the line.
I may be misunderstanding how it should display, but this is what I currently get output on a raw search.
You need make sure that you also set SHOULD_LINEMERGE = false
. You need to deploy this to your Indexers and restart splunk there. Even then, only events forwarded AFTER the restarts will show correctly; previously indexed events will always stay broken (<- literally).
Thank you so much. That's done the trick perfectly. I need to get rid of the XML lines, but I'm pretty sure I've seen that somewhere else, so I'll give it a bash first. Even with it in there, it's prefectly usable and now I can crack on getting the data I need set up.
Once again, thanks!