Splunk Search

How to configure Splunk to extract fields from XML tags?

rtestu_splunk
Splunk Employee
Splunk Employee

Hi!

I know there are many topics on XML field extractions, but did not see one that matches my requirement!

I receive XML events from a JMS queue (Active MQ) and the raw event in Splunk looks like that :

Thu Feb 25 19:20:14 CET 2016 name=QUEUE_msg_received event_id=ID:rtestu-mbair15-56318-1456424165985-1:6:1:1:1 msg_dest=queue.name msg_body=<typ:Reservation xmlns:typ="http://services.talend.org/reservation/types">
        <reservationId>376121286</reservationId>
        <customer>
            <city>Vegas</city>
            <email>…..

So, there are several key / value pairs that match the different JMS metadata (queue name, etc.) and the last one (msg_body) is the business payload, in XML.

I would like Splunk to automatically extract the XML tags as fields. Is it possible ?

I can't use kv_mode=xml since the event is only partially in XML.
Is there a way to specify that a field is an XML field so that Splunk could parse it and extract the tags?

By the way, I managed to do it via a search, but would like to be able to do it via configuration to simplify all the searches.

Thanks !
Romain.

0 Karma
1 Solution

fdi01
Motivator

rtestu_splunk
Splunk Employee
Splunk Employee

That's exactly what I needed. Just tried and it works.
Apparently, I did not search enough ... 😞

Thanks a lot !
Romain.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...