Solved: How to extract a complete multiline XML message in...

ankithreddy777 · ‎01-03-2017

I have a xml message with multiple lines. How can we extract entire data into a field?

niketn · ‎01-03-2017

Use replace command to remove new line characters from raw event data.
Use rex to identify start and end of XML data.

For example for the following data

2016/10/20 01:01:30.123 Request Data XML : <root>
<header>
    <name>test</name>
</header>
<data>
    <sno>12345</sno>
    <details>blah blah</details>
</root>

Following SPL should do the extraction. (PS: You might have to try to remove \r also based on whether you have just new line (\n) or line feed (\r) character as well in your raw data)

| <Your Base Search>
| eval rawsingleline= replace(_raw,"\n","") 
| rex field=rawsingleline "Request Data XML : (?<xmldata>.*)"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎01-03-2017

Use replace command to remove new line characters from raw event data.
Use rex to identify start and end of XML data.

For example for the following data

2016/10/20 01:01:30.123 Request Data XML : <root>
<header>
    <name>test</name>
</header>
<data>
    <sno>12345</sno>
    <details>blah blah</details>
</root>

Following SPL should do the extraction. (PS: You might have to try to remove \r also based on whether you have just new line (\n) or line feed (\r) character as well in your raw data)

| <Your Base Search>
| eval rawsingleline= replace(_raw,"\n","") 
| rex field=rawsingleline "Request Data XML : (?<xmldata>.*)"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to extract a complete multiline XML message into a field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life