Splunk Search

How to extract XML field data using transforms.conf?


How to extract xml data contained in AUDDET_STR field in the following event using transforms.conf settings?

"2016-04-17 12:04:38:935" REC_TS="2016-04-17 12:04:38:935", USERID="sysadmin", AUDTENTRYSEQNUM="0", AUDTSEQNUM="1", DATASRC="NONE", AUDTENTRYTYP="OBEY", SRVCID="DA", AUDDET_STR="<Audit_loggingRq><Timestamp>2016-04-17T12:23:38.93533Z</Timestamp><ContextDescr>SECURE-DA</ContextDescr><Ticket><UserID>SysAdmin</UserID><SessionNumber>1</SessionNumber><TerminalID>dci.exe#529</TerminalID></Ticket><ErrorData>OK</ErrorData><ActivityGroup><ActivityType>OB</ActivityType><TableGroup><TableName>NONE</TableName></TableGroup><KeyGroup><Key><KeyColumn><ColumnName>RowCount</ColumnName><Value>0</Value></KeyColumn></Key></KeyGroup></ActivityGroup></Audit_loggingRq>"
0 Karma


You could try with field transformation


Add the following to your transform
REGEX = <(\w+)>([^<]+)
FORMAT = $1::$2
MV_ADD = true

With this, if a the same field appears more than once, it will get added as a multi-value field and you can use the multivalue functions in your search


0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...