Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log ingested having xml tags that are not having fields extracted and named as per the tags?

timothytruax
Explorer
‎01-07-2020 03:25 PM

• Attached you will see a sample of the log I am working with. <-- tried to attach it but not enough points. Haha!

• You will see in the body of the log row there are xml tags. Like CorrelationId, MessageId, DateTime, Status, Action, Message.

• I would think that Splunk would at least attempt to recognized these "xml tagged" field and name them.

• Is it not recognizing the xml tags because the FULL log is not xml tagged & the beginning few positions aren't xml tagged?

• Any thoughts or suggestions appreciated.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2020 04:33 AM 
| makeresults 
| eval _raw="000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: <?xml version=\"1.0\" encoding=\"UTF-8\"?> <ns0:PickupStatus xmlns:ns0=\"http://cpc.ground.fedex.com/pickup/status/v1\"><CorrelationId>4dba36a5-076b-4dc6-bde5-04366a4dcb78</CorrelationId><MessageId>bf6cd527-fb0b-4f08-8920-f1c01d498764</MessageId><ParentMessageId>c4b3cc79-c4bb-4512-a3b7-f1527cf03491</ParentMessageId><StatusForMessageId>1570a3c5-fab3-4ad3-ad13-5ed883171712</StatusForMessageId><DateTime>2020-01-08T13:52:48.717-05:00</DateTime><SourceSentDateTime>2020-01-08T13:52:27-05:00</SourceSentDateTime><Status>ReadReceipt</Status><Message>Request to remove pickup from manifest was received by the scanner.</Message><UserId>BRK_APP</UserId><RequestType>TransferRequest</RequestType><Action>Remove</Action><TerminalNumber>314</TerminalNumber></ns0:PickupStatus>" 
| rex "(?<xml_data>(?=\<).+)"
| rex "(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3})" 
| spath input=xml_data
| fields - _* xml_data
| eval _time=strptime(time,"%F %T.%3Q")

Hi, @timothytruax
If there is data in _raw , it can be extracted like this.

0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:30 AM

Is there ANY OTHER way I can get this image of the log row to you?

0 Karma
Reply

timothytruax
Explorer
‎01-15-2020 03:44 AM

What appears to be happening is the timestamp fields can vary in length and appearance; so when we attempt to use the extractor to create as field that is past one of those varying timestamps we get unmatched rows in the extractor.

0 Karma
Reply

timothytruax
Explorer
‎01-15-2020 03:40 AM 
 `   000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: <?xml version="1.0" encoding="UTF-8"?> <ns0:PickupStatus xmlns:ns0="http://cpc.ground.fedex.com/pickup/status/v1"><CorrelationId>4dba36a5-076b-4dc6-bde5-04366a4dcb78</CorrelationId><MessageId>bf6cd527-fb0b-4f08-8920-f1c01d498764</MessageId><ParentMessageId>c4b3cc79-c4bb-4512-a3b7-f1527cf03491</ParentMessageId><StatusForMessageId>1570a3c5-fab3-4ad3-ad13-5ed883171712</StatusForMessageId><DateTime>2020-01-08T13:52:48.717-05:00</DateTime><SourceSentDateTime>2020-01-08T13:52:27-05:00</SourceSentDateTime><Status>ReadReceipt</Status><Message>Request to remove pickup from manifest was received by the scanner.</Message><UserId>BRK_APP</UserId><RequestType>TransferRequest</RequestType><Action>Remove</Action><TerminalNumber>314</TerminalNumber></ns0:PickupStatus> `
0 Karma
Reply

timothytruax
Explorer
‎01-15-2020 03:38 AM

Thanks Rich! I will remember that!! Here is the log row....

000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: <?xml version="1.0" encoding="UTF-8"?> <ns0:PickupStatus xmlns:ns0="http://cpc.ground.fedex.com/pickup/status/v1"><CorrelationId>4dba36a5-076b-4dc6-bde5-04366a4dcb78</CorrelationId><MessageId>bf6cd527-fb0b-4f08-8920-f1c01d498764</MessageId><ParentMessageId>c4b3cc79-c4bb-4512-a3b7-f1527cf03491</ParentMessageId><StatusForMessageId>1570a3c5-fab3-4ad3-ad13-5ed883171712</StatusForMessageId><DateTime>2020-01-08T13:52:48.717-05:00</DateTime><SourceSentDateTime>2020-01-08T13:52:27-05:00</SourceSentDateTime><Status>ReadReceipt</Status><Message>Request to remove pickup from manifest was received by the scanner.</Message><UserId>BRK_APP</UserId><RequestType>TransferRequest</RequestType><Action>Remove</Action><TerminalNumber>314</TerminalNumber></ns0:PickupStatus>

0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:29 AM

For some reason when I copy / paste the log row this field strips out my xml tags.
Also when I try to upload a small image of the log row this site tells me I do not have enough points to upload the file.
Therefore this site and any interaction thru the SPLUNK provided field for pasting data is virtually worthless!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-14-2020 05:39 AM

To avoid losing XML tags and other formatting characters, enclose the text within backtics (`) or highlight it and click the code button (101010).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-07-2020 04:56 PM

Please copy-and-paste some sample data.
Please also share the props.conf file settings for the sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

timothytruax
Explorer
‎01-08-2020 12:33 PM

Log row....

000 2 00 0000 2020-01-08 13:52:48.771 (PickupStatusListener:41) Message payload: 4dba36a5-076b-4dc6-bde5-04366a4dcb78bf6cd527-fb0b-4f08-8920-f1c01d498764c4b3cc79-c4bb-4512-a3b7-f1527cf034911570a3c5-fab3-4ad3-ad13-5ed8831717122020-01-08T13:52:48.717-05:002020-01-08T13:52:27-05:00ReadReceiptRequest to remove pickup from manifest was received by the scanner.BRK_APPTransferRequestRemove314

Props.conf for sourcetype...

-bash-4.2$ cat props.conf
[kedex:cpc:log]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)\d{3}\s+\d{1}\s+\d{2}\s+\d{4}
NO_BINARY_CHECK=true
disabled=false
TIME_PREFIX=\s+\d{4}\s+
TIME_FORMAT=%F %T.%3N
TRUNCATE=999999
MAX_TIMESTAMP_LOOKAHEAD=35

[kedex:cpc:gc]
SHOULD_LINEMERGE=false
TIME_PREFIX=^
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}
TIME_FORMAT=%FT%T.%3N
MAX_TIMESTAMP_LOOKAHEAD=25
TRUNCATE=999999

[kedex:cpc:error]
SHOULD_LINEMERGE=false
TIME_PREFIX=^\d+\s+\d+\s+\d+\s+\d+\s+
LINE_BREAKER=([\r\n]+)\d+\s+\d+\s+\d+\s+\d+\s+\d{4}-\d{2}-\d{2}
TIME_FORMAT=%F %T.%3N
MAX_TIMESTAMP_LOOKAHEAD=25
TRUNCATE=999999

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2020 07:27 PM

There are no XML tags in the sample log row.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:31 AM

For some reason when I copy / paste the log row this field strips out my xml tags.
Also when I try to upload a small image of the log row this site tells me I do not have enough points to upload the file.
Therefore this site and any interaction thru the SPLUNK provided field for pasting data is virtually worthless! Is there any other way I can get this log row to you?

0 Karma
Reply

timothytruax
Explorer
‎01-14-2020 05:27 AM

I am unable to upload an image of this log row - AND - when I copy and paste the text of the log row it strips out my xml tags. How else can I get the text or an image of this log row to you.

For some reason they say I do not have enough "points" to upload a small image of the log row.

0 Karma
Reply

timothytruax
Explorer
‎01-07-2020 05:06 PM

Hi Rich - I will send it first thing tomorrow morning. Thank you for your attention to my question. Tim

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...