Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract XMP, parse XML, and split it up with eval?

splunkernator
Path Finder
‎07-28-2022 01:26 PM

I got some embedded XML in a Syslog message.  I have no access to get under the bonnet in an admin sense.  I need to "grok" the message - ideally into stages 

1 - extract xml

2 - parse xml, split up with eval or something

I have seen a bunch of stuff around props.conf - but I guess I need to go to one of the "collector" nodes so it parses at source? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:25 AM

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2022 05:25 PM

If you don't have file system access then you won't be able to do much with props.conf.  You may have to stick with search-time extractions.

First, however, please share some sample data so we know what we're working with and have something with which to test.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkernator
Path Finder
‎07-28-2022 10:46 PM

Hi thanks - I have had to basically make this up, so the shape of the data below is broadly the same, but utterly fabricated to protect my client.

2019-07-29T05:29:26.762Z DEBUG <foo-5-thread-2> [BarAgent] The asynchronousNotification message is: <TERMINALRESPONSE>   <SERVERDN>cn=00e5934f-12be-4cbf-8608-a75905dadbe7,ou=foo,dc=bar,dc=hyper,dc=out</SERVERDN>   <SERVERPOOLDN>cn=foo-bar-agent,ou=server groups,dc=bar,dc=hyper,dc=out</SERVERPOOLDN>   <SERVERDNSNAME>FOO-FB02Z-BAR019</SERVERDNSNAME>

What is interesting it the data doesn't seem "clean" - that there is no closing tag for <foo-5-thread-2> (i.e. no </foo-5-thread> ; and in other instances there is - if you can provide an example, I can take this away and work on it, much appreciated.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:25 AM

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top