Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing XML log files

monteirolopes
Communicator
‎05-03-2017 01:58 PM

Hi,

I would to like to index a log in xml format and I would to like to parse it so that the content of each event was what was inside the tags, as shown below:

alt text

Event1 = content 1
Event2 = content 2

How can I do this? Is there a regular expression for the above example?

Best regards,
Lopes.

Tags (2)
xmlsplunk.jpg
Preview file
15 KB
0 Karma
Reply

niketn
Legend
‎05-03-2017 08:48 PM

@monteirolopes... depends on how you are loading XML data. Is the entire content itself XML or is XML part of content with some additional text without XML format.

For raw XML event
Based on whether you want to have Splunk perform automatic XML extraction during index time or search time you can choose between either one of INDEXED_EXTRACTIONS or KV_MODE as XML. Refer to the following documentation: http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileswithstructureddata#Pro...

For XML data as a subset of raw event
You can use spath to traverse XML once you have extracted XML Data.

Please find below run anywhere search for your mock data. Also refer to spath documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

| makeresults
| eval mockXMLData="<Flow_data>Content1</Flow_data><Detected_signatures>Content2</Detected_signatures>"
| spath input=mockXMLData path=Detected_signatures output=key
| table key mockXMLData

PS: You can apply regular expression using rex, command but spath has been written specifically for XML and JSON data parsing.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
li.common.scroll-to.top