Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract XMP, parse XML, and split it up with eval?

splunkernator
Path Finder
‎07-28-2022 01:26 PM

I got some embedded XML in a Syslog message.  I have no access to get under the bonnet in an admin sense.  I need to "grok" the message - ideally into stages 

1 - extract xml

2 - parse xml, split up with eval or something

I have seen a bunch of stuff around props.conf - but I guess I need to go to one of the "collector" nodes so it parses at source? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:25 AM

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2022 05:25 PM

If you don't have file system access then you won't be able to do much with props.conf.  You may have to stick with search-time extractions.

First, however, please share some sample data so we know what we're working with and have something with which to test.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkernator
Path Finder
‎07-28-2022 10:46 PM

Hi thanks - I have had to basically make this up, so the shape of the data below is broadly the same, but utterly fabricated to protect my client.

2019-07-29T05:29:26.762Z DEBUG <foo-5-thread-2> [BarAgent] The asynchronousNotification message is: <TERMINALRESPONSE>   <SERVERDN>cn=00e5934f-12be-4cbf-8608-a75905dadbe7,ou=foo,dc=bar,dc=hyper,dc=out</SERVERDN>   <SERVERPOOLDN>cn=foo-bar-agent,ou=server groups,dc=bar,dc=hyper,dc=out</SERVERPOOLDN>   <SERVERDNSNAME>FOO-FB02Z-BAR019</SERVERDNSNAME>

What is interesting it the data doesn't seem "clean" - that there is no closing tag for <foo-5-thread-2> (i.e. no </foo-5-thread> ; and in other instances there is - if you can provide an example, I can take this away and work on it, much appreciated.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:25 AM

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...