Hi, I have an XML-like (but not proper XML) feed that I need to parse.
A sample is below, and I need to parse out each field.
Each field will not necessarily be in each event, so I need a method that will find it, without depending upon a previous field or the location within the event itself.
Can anyone help?
Apr 22 19:54:29 138.126.78.80 <STONEGATE_LOG><TIMESTAMP>2019-04-22 15:54:28</TIMESTAMP><LOGID>9999999</LOGID><NODEID>1.2.3.4</NODEID><FACILITY>Packet Filtering</FACILITY><TYPE>Notification</TYPE><EVENT>New connection</EVENT><ACTION>Allow</ACTION><SRC>4.5.6.7</SRC><DST>X.X.X.X</DST><SERVICE>HTTP</SERVICE><PROTOCOL>2</PROTOCOL><SPORT>12345</SPORT><DPORT>99</DPORT><RULEID>60732.1</RULEID><SRCIF>5</SRCIF><COMPID>some text here</COMPID><RECEPTIONTIME>2019-04-22 15:54:29</RECEPTIONTIME><SENDERTYPE>Firewall</SENDERTYPE><SITUATION>Connection_Allowed</SITUATION><EVENTID>99999999999</EVENTID></STONEGATE_LOG>
Hi,
To extract XML data at search time, you can use below config on Search Head.
props.conf
[yourSourcetype]
REPORT-test = xmlkv_alt
transforms.conf
[xmlkv_alt]
FORMAT = $1::$2
REGEX = <([^>]*)>([^<]*)<\/\1>
EDIT: Please find regex extraction with sample data on https://regex101.com/r/tJVD20/1