Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can I get field extraction for XML data that i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I get field extraction for XML data that is a data field in a JSON event?
wfrankl2
Explorer
01-29-2016
04:24 AM
I have event data coming into Splunk as JSON, that's all fine and works great, but one of the fields they are going to use is XML. Is there a way to get the XML field extracted from that? Right now it puts the XML as the value in a data field, but they want to search on values in the XML.
snippet
ThreadId: 9
TransactionDataXML: <TransactionDataXML><Input><Extensions><SourceSystem>application</SourceSystem></Extensions></Input><Output><StorePolicyPacketServiceResponse><ResponseCode>0</ResponseCode><ResponseDetails><TransactionId>091ef6c7-7d6b-4374-ac6b-8ec67abc6a96</TransactionId><ElapsedTime>30080</ElapsedTime><MachineId>server</MachineId><OriginalRequest><Extensions><SourceSystem>application</SourceSystem></Extensions></OriginalRequest></ResponseDetails></StorePolicyPacketServiceResponse></Output></TransactionDataXML>
TransactionDateTime: 2016-01-28T14:38:36.729986-05:00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-29-2016
07:36 AM
Try something like this (run anywhere sample)
| gentimes start=-1 | eval _raw="{
\"LogName\": \"ExampleLog\",
\"CorrelationId\": \"f879095a-0109-4235-8ba8-218f43f27220\",
\"LoggingLevel\": \"All\",
\"ThreadId\": \"9\",
\"LocalTimeStamp\": \"2016-01-28T14:38:36.748986-05:00\",
\"AccessModeName\": \"ABC\",
\"AgentCode\": \"00000\",
\"AgentPrefixCode\": \"CA\",
\"ApplicationName\": \"UQ\",
\"ChannelCode\": \"DI\",
\"CIFCommonSchemaVersionNbr\": \"V0200\",
\"CIFGeneratedSchemaId\": \"05c0b8a4-2954-4fb7-a6ae-def569bd4b63\",
\"CIFSoftwareVersionNbr\": \"1.2\",
\"DataCenterLocationText\": \"None\",
\"InstrumentationLogDateTime\": \"/Date(1454070556298)/\",
\"LoggingComputerSystemName\": \"mycomputer\",
\"LoggingLevelName\": \"Critical\",
\"MessageText\": \"Hello world\",
\"OperatingEnvironmentName\": \"Development\",
\"PartyLogonIdTypeName\": \"None\",
\"TransactionDataXML\": \"<application><GUID>0091ef6c7-7d6b-4374-ac6b-8ec67abc6a9630080</GUID><name>Test</name></application>\",
\"TransactionDateTime\": \"2016-01-28T14:38:36.729986-05:00\",
\"CIFSchemaValidationErrors\": [
\"AccessModeName should be 10 characters\"
],
\"CIFSchemaValidated\": true,
\"Custom1\": \"Custom1Value\",
\"EventId\": 0,
\"CIFUniqueMessageId\": \"f879095a-0109-4235-8ba8-218f43f27220\"
}" | table _raw | spath| spath input=TransactionDataXML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alemarzu
Motivator
01-29-2016
05:20 AM
Read this,
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Spath
Can you share a sample event ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wfrankl2
Explorer
01-29-2016
06:59 AM
I will check it out. I tried to give a snippet of the code but it removed all formatting. I will give it another try.
{"LogName":"ExampleLog","CorrelationId":"f879095a-0109-4235-8ba8-218f43f27220","LoggingLevel":"All","ThreadId":"9","LocalTimeStamp":"2016-01-28T14:38:36.748986-05:00","AccessModeName":"ABC","AgentCode":"00000","AgentPrefixCode":"CA","ApplicationName":"UQ","ChannelCode":"DI","CIFCommonSchemaVersionNbr":"V0200","CIFGeneratedSchemaId":"05c0b8a4-2954-4fb7-a6ae-def569bd4b63","CIFSoftwareVersionNbr":"1.2","DataCenterLocationText":"None","InstrumentationLogDateTime":"/Date(1454070556298)/","LoggingComputerSystemName":"mycomputer","LoggingLevelName":"Critical","MessageText":"Hello world","OperatingEnvironmentName":"Development","PartyLogonIdTypeName":"None","TransactionDataXML":"application0091ef6c7-7d6b-4374-ac6b-8ec67abc6a9630080serverapplication","TransactionDateTime":"2016-01-28T14:38:36.729986-05:00","CIFSchemaValidationErrors":["AccessModeName should be 10 characters"],"CIFSchemaValidated":true,"Custom1":"Custom1Value","EventId":0,"CIFUniqueMessageId":"f879095a-0109-4235-8ba8-218f43f27220"}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wfrankl2
Explorer
01-29-2016
07:05 AM
It removes my xml formatting when I paste it in. the TransactiondataXML is the field where the data would be.
Get Updates on the Splunk Community!
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...
Alerting Best Practices: How to Create Good Detectors
At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...
