Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to cherry pick fields from raw xml records before indexing

riotto
Path Finder
‎04-21-2018 06:47 AM

I have several raw xml events that are getting indexed from a monitored log. The log is forwarded from a universal forwarder. The xml event is pretty long and I only want to index certain fields from it. How can I do this before indexing so that I can save my daily volume limit which is starting to exceed the limit.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-22-2018 10:07 AM

Best practice is to do this with "something else" to keep the Indexers from being overloaded with work that "other things" can do, to keep them free to do the stuff that "only Indexers can do". You might do this with a heavy forwarder, but I would not. I would write my own pre-parser code to strip out the stuff that I need and write it to a different file in a special directory for only these files and then have your Splunk UF monitor that other directory of pre-processed files.

0 Karma
Reply

niketn
Legend
‎04-21-2018 10:08 AM

@riotto, you can define props.conf to index only selected part of XML. Try something like the following:

BREAK_ONLY_BEFORE=\<yourRequiredXMLNode\>
MUST_BREAK_AFTER=\<\/yourRequiredXMLNode\>

If the part of XML you want to index also has timestamp field you would need to define TIME_PREFIX and TIME_FORMAT as well.

If it does not work you might have to provide us with sample XML data after mocking/anonymizing any sensitive data and also what props.conf you have for your sourcetype.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...