Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract XMP, parse XML, and split it up with eval?

splunkernator
Path Finder
‎07-28-2022 01:26 PM

I got some embedded XML in a Syslog message.  I have no access to get under the bonnet in an admin sense.  I need to "grok" the message - ideally into stages 

1 - extract xml

2 - parse xml, split up with eval or something

I have seen a bunch of stuff around props.conf - but I guess I need to go to one of the "collector" nodes so it parses at source? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:25 AM

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-28-2022 05:25 PM

If you don't have file system access then you won't be able to do much with props.conf.  You may have to stick with search-time extractions.

First, however, please share some sample data so we know what we're working with and have something with which to test.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunkernator
Path Finder
‎07-28-2022 10:46 PM

Hi thanks - I have had to basically make this up, so the shape of the data below is broadly the same, but utterly fabricated to protect my client.

2019-07-29T05:29:26.762Z DEBUG <foo-5-thread-2> [BarAgent] The asynchronousNotification message is: <TERMINALRESPONSE>   <SERVERDN>cn=00e5934f-12be-4cbf-8608-a75905dadbe7,ou=foo,dc=bar,dc=hyper,dc=out</SERVERDN>   <SERVERPOOLDN>cn=foo-bar-agent,ou=server groups,dc=bar,dc=hyper,dc=out</SERVERPOOLDN>   <SERVERDNSNAME>FOO-FB02Z-BAR019</SERVERDNSNAME>

What is interesting it the data doesn't seem "clean" - that there is no closing tag for <foo-5-thread-2> (i.e. no </foo-5-thread> ; and in other instances there is - if you can provide an example, I can take this away and work on it, much appreciated.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-29-2022 05:25 AM

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...