Solved: convert pseudo XML file content to readable format

Rajshekhar · ‎11-15-2011

We have a file content in the format

</MSG>
<MSG _NO="3" _ID="15" _COMP="RunTime" _TEXT=" $PARAMETER$=$VALUE$">
 <MSG_ARGS
   _FILE="RTEConf_ParameterAccessKernelInterface+noPIC.cpp"
   _LINE="1141"
   _TIME="2011-11-11 19:01:41.000"
   _MESSAGEVERSION="1"
   PARAMETER="ADMIN"
   VALUE="1"

This is in pseudo XML format and we want this to be convereted to readable format. At OS level we execute the command spwdfvml0249:sqdixv 96> protconv /sapdb/data/wrk/IXV/KnlMsg > knldiag.txt_1511
to convert and read. How can we do this in splunk? is there any option to parse this data to readable format. Please help
Thanks|Rajshekhar

Ayn · ‎11-15-2011

Splunk does not itself convert any data. OK, not completely true - there is some functionality for rewriting event data sed style, but nothing that parses an XML file and reformats the whole thing into a completely different format.

However from the sample event you pasted your XML seems well-suited enough to simply read into Splunk and create events for each <MSG> tag in the XML. After you've done that you can create field extractions for all the interesting fields in each msg and use the field values however you want to create an output for the events that's more human readable. Splunk will even automatically parse key=value definitions in the XML, so with most of these keys and values you won't have to create any field extractions yourself.

View solution in original post

Ayn · ‎11-15-2011

Splunk does not itself convert any data. OK, not completely true - there is some functionality for rewriting event data sed style, but nothing that parses an XML file and reformats the whole thing into a completely different format.

However from the sample event you pasted your XML seems well-suited enough to simply read into Splunk and create events for each <MSG> tag in the XML. After you've done that you can create field extractions for all the interesting fields in each msg and use the field values however you want to create an output for the events that's more human readable. Splunk will even automatically parse key=value definitions in the XML, so with most of these keys and values you won't have to create any field extractions yourself.

Rajshekhar · ‎11-16-2011

Thanks for your help 🙂

Ayn · ‎11-16-2011

I'm no Splunk employee so any help I provide is done on my spare time on this site. So, you're better off asking your questions here instead - if I have time and possibility to help you out I will, and if not, hopefully someone else will step in!

Rajshekhar · ‎11-16-2011

Yes I will definitely do that. Would you please provide your mailId to me so that in future if I need any help on Splunk it would be easy for me to communicate.

Ayn · ‎11-16-2011

Awesome! Could you please mark my answer as accepted? Thanks!

Rajshekhar · ‎11-16-2011

Thank you very much! Now I can see the output as desired

Ayn · ‎11-16-2011

COMP and TEXT, not _COMP and _TEXT. Splunk automatically removes the leading underscore characters.

Rajshekhar · ‎11-16-2011

I am giving below search string:
host="spwdfvml0249" index="erp_maxdb" source= "/sapdb/data/wrk/IXV/KnlMsg" | table _COMP,_TEXT

it says no matching fields exist and below that 97888 matching events and in detailed area it says No results found.. Please advice

Ayn · ‎11-16-2011

OK! In that case, just issue table with any fields you want in tabular form. For instance for getting _time, COMP and FILE:

... | table _time, COMP, FILE

Rajshekhar · ‎11-16-2011

Thank you so much for answering..
On the left hand side under other interesting fields if i select All 67 fields I can see COMP, FILE and other fields.

Ayn · ‎11-16-2011

OK, so you're seeing all these as fields in the field picker to the left in the search app? For instance is there a "_comp" field and a "_FILE" field?

Rajshekhar · ‎11-16-2011

I have configured splunk to index the XML file, and its displaying the results as below.

<MSG_ARGS
_FILE="RTEConf_ParameterAccessKernelInterface+noPIC.cpp"
_LINE="1141"
_TIME="2011-11-11 19:01:41.000"
_MESSAGEVERSION="1"
PARAMETER="ADMIN"
VALUE="1"
Please let me know how to divide the fields and show only those fields in tabular format

Ayn · ‎11-16-2011

How far have you come? Do you have the XML events loaded into Splunk and properly divided up?

Rajshekhar · ‎11-15-2011

I want extract few fields(for example, _TEXT, _COMP) and show only those fields in tabular format.
How can I do this. Please assist

sushildabare · ‎11-15-2011

Thanks for answering!
The requirement is when we extract few fields for example _ID,_TEXT from the above sample event, we want to display that in single line and other fields should not be shown at all. How can we achieve this.

convert pseudo XML file content to readable format

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...