Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Want to write rex in props to extract field from XML

abhaywdc
Loves-to-Learn
‎03-27-2024 11:07 AM

I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .

 

Ex:- <abc>WoW</abc>

        <xyz>SURE</xyz>

 

Now, both the lines are in the same event. I want to have two fields called "abc" and "xyz" with the corresponding value WoW and SURE.

 

Kindly help !!

Labels (1)
Labels
0 Karma
Reply

Abhay
Explorer
‎03-28-2024 04:15 AM

We can't use xmlkv, customer will fire the index=indexname sourcetype=soucetypename and data should appear with all the fields extracted !!

 

the events are the combination of Non-XML and XML format.

 

From the Non-xml format we have the fields coming in but from the XML formats we dont have any fields.

 

Finally, we have to automate the extraction using the props.conf in the backend.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-28-2024 08:18 AM
Can you give any sanitized sample data?
It's enough that fields are extracted, but not need to index those in ingesting phase?
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2024 11:34 AM

Hi

in splunk you can get it like 

| makeresults 
| eval _raw = "Ex:- <abc>WoW</abc>

        <xyz>SURE</xyz>"
``` above prepare test event ```
| rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^<]+)<\\/xyz>"

A nice place to test those is regex101.com. Here is link to your case https://regex101.com/r/iBvAPm/1

When you are converting those for Splunk, usually there is need to add some additional escape character as splunk preprocessing that reg ex and remove some \ characters 

r. Ismo

0 Karma
Reply

Abhay
Explorer
‎03-28-2024 03:39 AM

I appreciate your response here, but there are many xml tags in the event , as I mentioned in the example :

abc

xyz

 

So, you do not know what are the tags coming in the event, so it is dynamic.

 

My Field should be created dynamically with the tag's name and the corresponding value.

 

ex:- <abc>Wow</abc>

field name should not be hardcoded as "abc", it should take "abc" dynamically and the value should be "Wow"

Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-28-2024 04:12 AM
Is it possible to extract those xml parts 1st and then use xmlkv command to those?
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...