How to index XML data in Splunk without row. prefi...

slopez100 · ‎09-26-2014

My XML is as follows:

<row>
    <Id>1</Id>
    <PostId>7</PostId>
    <UserId>2</UserId>
    <VoteTypeId>2</VoteTypeId>
    <CreationDate>2009-11-06T02:22:37.063</CreationDate>
    <TargetUserId>7</TargetUserId>
    <TargetRepChange>10</TargetRepChange>
    <IPAddress>64.127.105.60</IPAddress>
</row>
<row>
    <Id>2</Id>
    <PostId>6</PostId>
    <UserId>2</UserId>
    <VoteTypeId>2</VoteTypeId>
    <CreationDate>2009-11-06T02:22:38.25</CreationDate>
    <TargetUserId>31</TargetUserId>
    <TargetRepChange>10</TargetRepChange>
    <IPAddress>64.127.105.61</IPAddress>
</row>

Splunk labels the columns as row.id, row.IPAddress, etc.

Is there a way to have the fields indexed in splunk without the "row." prefix. I've looked at FIELDALIAS and some other items but they don't do what I'm seeking.

Any help will be greatly appreciated.

Thanks in advance.

Scott

trsavela · ‎10-08-2014

Try this:

| rename  "row."* as *

somesoni2 · ‎09-30-2014

Give this a try (props.conf)

[yoursourcetype]
BREAK_ONLY_BEFORE=<Id>
CHARSET=AUTO
MAX_TIMESTAMP_LOOKAHEAD=150
NO_BINARY_CHECK=1
SEDCMD-acrRemover=s/\x0D//g
SEDCMD-aremove=s/\<row\>//g
SEDCMD-blfRemover=s/\x0A//g
SEDCMD-bremove=s/\<\/row\>//g
SEDCMD-cRemove=s/\<\/\w+\>//g
SEDCMD-dRemove=s/\</" /g
SEDCMD-eRemove=s/\>/="/g
SEDCMD-fRemove=s/^"//g
SHOULD_LINEMERGE=true

How to index XML data in Splunk without row. prefix?

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Are you a member of the Splunk Community?

How to index XML data in Splunk without row. prefix?

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes