Splunk XML data formatting

smusunuri1 · ‎12-30-2015

I trying to split the xml data while pushing into splunk. I had a tough time working on this as this a combination of XML and CSV format.

Input:

10:26:10 PST 16 Nov 2015
    <employee details="ename;position;branch" department="XYZ">AA;systems engineer;seattle
</employee>

1:26:10 PST 16 Nov 2015
    <employee details="ename;position;branch" department="XYZ">BB;Lead;seattle
CC;Tech Lead,Redmond    
</employee>

6:26:10 PST 16 Nov 2015
    <employee details="ename;position;branch" department="XYZ">DD;data architect;annapolis
</employee>

Expected Output:

ename position branch
AA systems engineer seattle
BB Lead seattle
CC Tech Lead Redmond
DD data architect annapolis

sundareshr · ‎12-30-2015

Unless this sample is incomplete, I don't see valid XML. If this data is correct, then you can strip out the unwanted data using SEDCMD in your props.conf like this

SEDCMD-removeunwanted=s/(\<.*\>)//g

http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles

Now to extract the fields, use the DELIMS in your transforms... like so

[extract_fields]
DELIMS = ";"
FIELDS = "ename", "position", "branch"

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Transformsconf

Splunk XML data formatting

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Splunk XML data formatting

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...