I got some embedded XML in a Syslog message. I have no access to get under the bonnet in an admin sense. I need to "grok" the message - ideally into stages
1 - extract xml
2 - parse xml, split up with eval or something
I have seen a bunch of stuff around props.conf - but I guess I need to go to one of the "collector" nodes so it parses at source?
I agree that appears to be poorly-formatted XML. Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML. I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.
| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
If you don't have file system access then you won't be able to do much with props.conf. You may have to stick with search-time extractions.
First, however, please share some sample data so we know what we're working with and have something with which to test.
Hi thanks - I have had to basically make this up, so the shape of the data below is broadly the same, but utterly fabricated to protect my client.
2019-07-29T05:29:26.762Z DEBUG <foo-5-thread-2> [BarAgent] The asynchronousNotification message is: <TERMINALRESPONSE> <SERVERDN>cn=00e5934f-12be-4cbf-8608-a75905dadbe7,ou=foo,dc=bar,dc=hyper,dc=out</SERVERDN> <SERVERPOOLDN>cn=foo-bar-agent,ou=server groups,dc=bar,dc=hyper,dc=out</SERVERPOOLDN> <SERVERDNSNAME>FOO-FB02Z-BAR019</SERVERDNSNAME>
What is interesting it the data doesn't seem "clean" - that there is no closing tag for <foo-5-thread-2> (i.e. no </foo-5-thread> ; and in other instances there is - if you can provide an example, I can take this away and work on it, much appreciated.
I agree that appears to be poorly-formatted XML. Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML. I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.
| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on