Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log ingested having xml tags that are not having fields extracted and named as per the tags?

timothytruax
Explorer
‎01-07-2020 03:25 PM

• Attached you will see a sample of the log I am working with. <-- tried to attach it but not enough points. Haha!

• You will see in the body of the log row there are xml tags. Like CorrelationId, MessageId, DateTime, Status, Action, Message.

• I would think that Splunk would at least attempt to recognized these "xml tagged" field and name them.

• Is it not recognizing the xml tags because the FULL log is not xml tagged & the beginning few positions aren't xml tagged?

• Any thoughts or suggestions appreciated.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2020 04:33 AM 
| makeresults 
| eval _raw="000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: <?xml version=\"1.0\" encoding=\"UTF-8\"?> <ns0:PickupStatus xmlns:ns0=\"http://cpc.ground.fedex.com/pickup/status/v1\"><CorrelationId>4dba36a5-076b-4dc6-bde5-04366a4dcb78</CorrelationId><MessageId>bf6cd527-fb0b-4f08-8920-f1c01d498764</MessageId><ParentMessageId>c4b3cc79-c4bb-4512-a3b7-f1527cf03491</ParentMessageId><StatusForMessageId>1570a3c5-fab3-4ad3-ad13-5ed883171712</StatusForMessageId><DateTime>2020-01-08T13:52:48.717-05:00</DateTime><SourceSentDateTime>2020-01-08T13:52:27-05:00</SourceSentDateTime><Status>ReadReceipt</Status><Message>Request to remove pickup from manifest was received by the scanner.</Message><UserId>BRK_APP</UserId><RequestType>TransferRequest</RequestType><Action>Remove</Action><TerminalNumber>314</TerminalNumber></ns0:PickupStatus>" 
| rex "(?<xml_data>(?=\<).+)"
| rex "(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3})" 
| spath input=xml_data
| fields - _* xml_data
| eval _time=strptime(time,"%F %T.%3Q")

Hi, @timothytruax
If there is data in _raw , it can be extracted like this.

0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:30 AM

Is there ANY OTHER way I can get this image of the log row to you?

0 Karma
Reply

timothytruax
Explorer
‎01-15-2020 03:44 AM

What appears to be happening is the timestamp fields can vary in length and appearance; so when we attempt to use the extractor to create as field that is past one of those varying timestamps we get unmatched rows in the extractor.

0 Karma
Reply

timothytruax
Explorer
‎01-15-2020 03:40 AM 
 `   000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: <?xml version="1.0" encoding="UTF-8"?> <ns0:PickupStatus xmlns:ns0="http://cpc.ground.fedex.com/pickup/status/v1"><CorrelationId>4dba36a5-076b-4dc6-bde5-04366a4dcb78</CorrelationId><MessageId>bf6cd527-fb0b-4f08-8920-f1c01d498764</MessageId><ParentMessageId>c4b3cc79-c4bb-4512-a3b7-f1527cf03491</ParentMessageId><StatusForMessageId>1570a3c5-fab3-4ad3-ad13-5ed883171712</StatusForMessageId><DateTime>2020-01-08T13:52:48.717-05:00</DateTime><SourceSentDateTime>2020-01-08T13:52:27-05:00</SourceSentDateTime><Status>ReadReceipt</Status><Message>Request to remove pickup from manifest was received by the scanner.</Message><UserId>BRK_APP</UserId><RequestType>TransferRequest</RequestType><Action>Remove</Action><TerminalNumber>314</TerminalNumber></ns0:PickupStatus> `
0 Karma
Reply

timothytruax
Explorer
‎01-15-2020 03:38 AM

Thanks Rich! I will remember that!! Here is the log row....

000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: <?xml version="1.0" encoding="UTF-8"?> <ns0:PickupStatus xmlns:ns0="http://cpc.ground.fedex.com/pickup/status/v1"><CorrelationId>4dba36a5-076b-4dc6-bde5-04366a4dcb78</CorrelationId><MessageId>bf6cd527-fb0b-4f08-8920-f1c01d498764</MessageId><ParentMessageId>c4b3cc79-c4bb-4512-a3b7-f1527cf03491</ParentMessageId><StatusForMessageId>1570a3c5-fab3-4ad3-ad13-5ed883171712</StatusForMessageId><DateTime>2020-01-08T13:52:48.717-05:00</DateTime><SourceSentDateTime>2020-01-08T13:52:27-05:00</SourceSentDateTime><Status>ReadReceipt</Status><Message>Request to remove pickup from manifest was received by the scanner.</Message><UserId>BRK_APP</UserId><RequestType>TransferRequest</RequestType><Action>Remove</Action><TerminalNumber>314</TerminalNumber></ns0:PickupStatus>

0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:29 AM

For some reason when I copy / paste the log row this field strips out my xml tags.
Also when I try to upload a small image of the log row this site tells me I do not have enough points to upload the file.
Therefore this site and any interaction thru the SPLUNK provided field for pasting data is virtually worthless!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2020 05:39 AM

To avoid losing XML tags and other formatting characters, enclose the text within backtics (`) or highlight it and click the code button (101010).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2020 04:56 PM

Please copy-and-paste some sample data.
Please also share the props.conf file settings for the sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

timothytruax
Explorer
‎01-08-2020 12:33 PM

Log row....

000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: 4dba36a5-076b-4dc6-bde5-04366a4dcb78bf6cd527-fb0b-4f08-8920-f1c01d498764c4b3cc79-c4bb-4512-a3b7-f1527cf034911570a3c5-fab3-4ad3-ad13-5ed8831717122020-01-08T13:52:48.717-05:002020-01-08T13:52:27-05:00ReadReceiptRequest to remove pickup from manifest was received by the scanner.BRK_APPTransferRequestRemove314

Props.conf for sourcetype...

-bash-4.2$ cat props.conf
[kedex:cpc:log]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{3}\s+\d{1}\s+\d{2}\s+\d{4}
NO_BINARY_CHECK=true
disabled=false
TIME_PREFIX=\s+\d{4}\s+
TIME_FORMAT=%F %T.%3N
TRUNCATE=999999
MAX_TIMESTAMP_LOOKAHEAD=35

[kedex:cpc:gc]
SHOULD_LINEMERGE=false
TIME_PREFIX=^
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}
TIME_FORMAT=%FT%T.%3N
MAX_TIMESTAMP_LOOKAHEAD=25
TRUNCATE=999999

[kedex:cpc:error]
SHOULD_LINEMERGE=false
TIME_PREFIX=^\d+\s+\d+\s+\d+\s+\d+\s+
LINE_BREAKER=([\r\n]+)\d+\s+\d+\s+\d+\s+\d+\s+\d{4}-\d{2}-\d{2}
TIME_FORMAT=%F %T.%3N
MAX_TIMESTAMP_LOOKAHEAD=25
TRUNCATE=999999

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2020 07:27 PM

There are no XML tags in the sample log row.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:31 AM

For some reason when I copy / paste the log row this field strips out my xml tags.
Also when I try to upload a small image of the log row this site tells me I do not have enough points to upload the file.
Therefore this site and any interaction thru the SPLUNK provided field for pasting data is virtually worthless! Is there any other way I can get this log row to you?

0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:27 AM

I am unable to upload an image of this log row - AND - when I copy and paste the text of the log row it strips out my xml tags. How else can I get the text or an image of this log row to you.

For some reason they say I do not have enough "points" to upload a small image of the log row.

0 Karma
Reply

timothytruax
Explorer
‎01-07-2020 05:06 PM

Hi Rich - I will send it first thing tomorrow morning. Thank you for your attention to my question. Tim

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...