Solved: XML key pair extraction

Lazarix · ‎10-31-2013

I've looked at about 5 examples of how to do XML key pair extraction but it's just not doing it for me and I can't figure out why.

I've got the following data in a file which is being indexed by splunk:

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://www.example.org/Admin/"><SOAP-ENV:Body><ns1:PortalAuthentication><serverHost name="test-server-01" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.0-0.F-1.P-1.Bld-26407" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-03" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-04" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.0-0.F-1.P-1.Bld-26407" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-05" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "America/Danmarkshavn" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-3.Bld-29542" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-06" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-07" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "America/Danmarkshavn" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-08" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost></ns1:PortalAuthentication></SOAP-ENV:Body></SOAP-ENV:Envelope> Wed Oct 30 16:34:14 GMT 2013

I have configured my app/local/props.conf as follows:

[netezzaportal]
LINE_BREAKER = <NpsHost
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
KV_MODE = xml

I have also tried my LINE_BREAKER as:

>(\s+)<NpsHost

and

[\>\s]((?=\<NpsHost\>))

But to no avail.

I have also tried to copy that section from the local props.conf into /opt/splunk/etc/system/local/props.conf but that also doesn't work. I have restarted the server after making each change, but Splunk still shows the whole thing as a single event.
I'm intending to make every NpsHost entry as a single event, and extract name= as the hostname for each event.

Lazarix · ‎05-15-2014

For anyone using this in a linux system, This is a gem of good news:
Use the following to parse your XML strings, even if they are all in one line:

xmllint --format /path/to/filename --output /path/to/output

This formats your xml into a line per key and it even indents them so you can still read them properly.

View solution in original post

Lazarix · ‎05-15-2014

For anyone using this in a linux system, This is a gem of good news:
Use the following to parse your XML strings, even if they are all in one line:

xmllint --format /path/to/filename --output /path/to/output

This formats your xml into a line per key and it even indents them so you can still read them properly.

Lazarix · ‎11-06-2013

I found that this wasn't at all possible and didn't work.
I ended up doing a scripted input instead.

XML key pair extraction

Happy CX Day, Splunk Community!

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas