Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Extracting fields in payload xml multiline log

changux
Builder
โ€Ž05-25-2015 07:41 PM

Hi all.

I need help setting an input and extracting multiline fields with one entry like this:

####<May 2, 2015 23:37:26 PM PCT> <Warning> <TGFG Logging> <host> <source> <[ACTIVE] ExecuteThread: '26' for queue: 'jboss.kernel.Default (self-tuning)'> <<user>> <> <y7433edf553abf7c3:-12a453ef2:148c05609dd:-5000-000000000000342> <54564444> <JB-000000> < [FILE34, null, null, REQUEST] <!--- Input BD Profiles -->: <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <ns:RunService xmlns:ns="http://mysite.com/s3" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <ns:data>
      <con:java-content ref="jcid:-12ac44f2:35t54ed33:-4ea8" xmlns:con="http://www.jobss.com/wli/sb/context"/>
    </ns:data>
  </ns:RunService>
</soapenv:Body>>

Useful info:

  • All the events begin with the same:

  • I need to extract the field "Status", in the example is the single word between the < > after the timestamp (<Warning>).

  • Also, i need to extract the <host>

  • I need to extract the <source>

  • Everything left must be called "Payload".

Anyone can help me?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
โ€Ž06-03-2015 06:22 AM

Like I said, fix your linebreaking and timestampinginprops.conf` first or you'll never get anything off the ground but once you do, this will work:

| rex "^####<[^>]+>\s*<(?<Status>[^>]+)>\s*<[^>]+>\s*<(?<Host>[^>]+)>\s*<(?<Source>[^>]+)>\s*(?<Payload>.*)$"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
โ€Ž06-03-2015 06:22 AM

Like I said, fix your linebreaking and timestampinginprops.conf` first or you'll never get anything off the ground but once you do, this will work:

| rex "^####<[^>]+>\s*<(?<Status>[^>]+)>\s*<[^>]+>\s*<(?<Host>[^>]+)>\s*<(?<Source>[^>]+)>\s*(?<Payload>.*)$"

View solution in original post

Reply
Solved! Jump to solution

changux
Builder
โ€Ž06-03-2015 02:11 PM

You rock! thanks!

0 Karma
Reply
Solved! Jump to solution

changux
Builder
โ€Ž06-03-2015 01:35 PM

Works very nice. How i can extract only the "payload"?

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
โ€Ž06-03-2015 01:55 PM 
| rex "^####<[^>]+>\s*<[^>]+>\s*<[^>]+>\s*<[^>]+>\s*<[^>]+>\s*(?<Payload>.*)$"

Don't forget to click "Accept".

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
โ€Ž06-03-2015 02:48 PM

If they're already editing props.conf, why would you suggest they use rex instead of adding an EXTRACT ?

0 Karma
Reply
Solved! Jump to solution

lcrielaa
Communicator
โ€Ž06-02-2015 11:38 PM

| rex field=_raw "####<[^>]+>\s<(?[^>]+)>\s<[^>]+>\s<(?[^>]+)>\s<(?[^>]+)>\s(?.*)"

That'll do the extracting you want but like the other said, you'll need to fix your linebreaking and timestamping via your props.conf.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
โ€Ž05-26-2015 05:31 AM

All that you are asking is possible and not too difficult but you are WAY ahead of yourself. You need to get timestamping and linebreaking working first. Are you working on that?

Reply
Solved! Jump to solution

changux
Builder
โ€Ž06-02-2015 12:49 PM

Yes, but doesn't work properly.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
โ€Ž05-25-2015 07:56 PM

Do you have anything at all coming into Splunk yet? In other words, do you have inputs.conf working and timestamp recognition working?

0 Karma
Reply
Solved! Jump to solution

changux
Builder
โ€Ž05-25-2015 08:03 PM

Not for now. My test extracts fields with the symbols ( <> ), not only the content ๐Ÿ˜ž

0 Karma
Reply