Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Want to write rex in props to extract field from XML

abhaywdc
Loves-to-Learn
‎03-27-2024 11:07 AM

I have a mixed data of ADFS logs, mixed in the sense, I have non XML as well as XML formatted data in the same event. Now my requirement is to extract the field from XML format .

 

Ex:- <abc>WoW</abc>

        <xyz>SURE</xyz>

 

Now, both the lines are in the same event. I want to have two fields called "abc" and "xyz" with the corresponding value WoW and SURE.

 

Kindly help !!

Labels (1)
Labels
0 Karma
Reply

Abhay
Explorer
‎03-28-2024 04:15 AM

We can't use xmlkv, customer will fire the index=indexname sourcetype=soucetypename and data should appear with all the fields extracted !!

 

the events are the combination of Non-XML and XML format.

 

From the Non-xml format we have the fields coming in but from the XML formats we dont have any fields.

 

Finally, we have to automate the extraction using the props.conf in the backend.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-28-2024 08:18 AM
Can you give any sanitized sample data?
It's enough that fields are extracted, but not need to index those in ingesting phase?
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-27-2024 11:34 AM

Hi

in splunk you can get it like 

| makeresults 
| eval _raw = "Ex:- <abc>WoW</abc>

        <xyz>SURE</xyz>"
``` above prepare test event ```
| rex "(?ms)<abc>(?<abc>[^<]+)<\\/abc>.*<xyz>(?<xyz>[^<]+)<\\/xyz>"

A nice place to test those is regex101.com. Here is link to your case https://regex101.com/r/iBvAPm/1

When you are converting those for Splunk, usually there is need to add some additional escape character as splunk preprocessing that reg ex and remove some \ characters 

r. Ismo

0 Karma
Reply

Abhay
Explorer
‎03-28-2024 03:39 AM

I appreciate your response here, but there are many xml tags in the event , as I mentioned in the example :

abc

xyz

 

So, you do not know what are the tags coming in the event, so it is dynamic.

 

My Field should be created dynamically with the tag's name and the corresponding value.

 

ex:- <abc>Wow</abc>

field name should not be hardcoded as "abc", it should take "abc" dynamically and the value should be "Wow"

Tags (2)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-28-2024 04:12 AM
Is it possible to extract those xml parts 1st and then use xmlkv command to those?
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...