Splunk Search

How to extract XMP, parse XML, and split it up with eval?

splunkernator
Path Finder

I got some embedded XML in a Syslog message.  I have no access to get under the bonnet in an admin sense.  I need to "grok" the message - ideally into stages 

1 - extract xml

2 - parse xml, split up with eval or something

I have seen a bunch of stuff around props.conf - but I guess I need to go to one of the "collector" nodes so it parses at source? 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you don't have file system access then you won't be able to do much with props.conf.  You may have to stick with search-time extractions.

First, however, please share some sample data so we know what we're working with and have something with which to test.

---
If this reply helps you, Karma would be appreciated.
0 Karma

splunkernator
Path Finder

Hi thanks - I have had to basically make this up, so the shape of the data below is broadly the same, but utterly fabricated to protect my client.

2019-07-29T05:29:26.762Z DEBUG <foo-5-thread-2> [BarAgent] The asynchronousNotification message is: <TERMINALRESPONSE>   <SERVERDN>cn=00e5934f-12be-4cbf-8608-a75905dadbe7,ou=foo,dc=bar,dc=hyper,dc=out</SERVERDN>   <SERVERPOOLDN>cn=foo-bar-agent,ou=server groups,dc=bar,dc=hyper,dc=out</SERVERPOOLDN>   <SERVERDNSNAME>FOO-FB02Z-BAR019</SERVERDNSNAME>

What is interesting it the data doesn't seem "clean" - that there is no closing tag for <foo-5-thread-2> (i.e. no </foo-5-thread> ; and in other instances there is - if you can provide an example, I can take this away and work on it, much appreciated.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I agree that appears to be poorly-formatted XML.  Unfortunately, Splunk's spath and xpath commands will only parse properly formatted XML.  I'm afraid that means you'll have to use a series of rex commands to extract the desired fields.

| rex "\<SERVERDN>(?<SERVERDN>[^\<]+)"
| rex "\<SERVERPOOLDN>(?<SERVERPOOLDN>[^\<]+)"
and so on
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk &#43; Cisco joined the global celebration of CX Day - celebrating our ...