Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to remove contents between tags in XML with re...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkCSIT
Communicator
04-20-2014
05:23 AM
Hi,
What will be the likely regex to remove the contents of the and
I tried regex: (. * ?)<body>. * ?</body>(. * ?)<content>. * ?
but it does not work because there are a few whitespaces in the contents of the and
<!--test-->
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
IgDEb1NeXZ499qnSY1ZvCy/VCF1O7H71y77VQTckpfyHgWvzkaaaheMC0r+JGLZO
0w3NCTERFJ8XaXKz/+qw4gA7xxbpT9nXVXMwEwYgiAviJBJhdYw63oTlRYGgGzPh
H2YVNv2TWnpWp816xi+sbM1ZsJJERnAZSADKFYZzYw4E73VhUlrX5YBY4WN7UmQw
kUmsZUX709sMBHZN/9aniaVBsLxszHw9xu5OuSz/lHkckplcwb94XDLh1KGGO+1Q
LzbpFYPqe3BANLK5xxlQAAti/uk0XYltVJfUOCzyxl282X3Tp/77FtiGGb8RI1HY
hslojkAQa9gK1+f44Y8LwHH5k7fQr+Q+luqP7inoEQWbpWW4hu80Wkafv/bzI/xu
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG2dmHUREawVzz+q
M8RkPBZIBge0SVY=
=WznL
ChDSQpu30B5MIAaR+j8/FfrAmERlXv7RWzY5mb/4InvUoDF4Bs10Rqb2twHNsyLPpW9FTeQ7Z3ftaXShK
cyPeh6zOvMwDRKLxdQ=endofcontentjWDgAy5cp6+EnitDkTUiIaXMsN6tW5rEFQsTabuSm8kW7CMUEV=
-retREREEEF
Rendofcontent
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkCSIT
Communicator
04-27-2014
01:39 AM
I seems able to resolve my query by configuring transforms.conf as below:
SOURCE_KEY=_raw
REGEX = (. * ?)< body \ >([\s\S] * )<\/ body \ >([\s\S] * ) \ < cont \ > ([\s\S] * )< \ / cont \ >([\s\S] *)
DEST_KEY=_raw
FORMAT=$1< body>###***#< /body>$3< cont>###< /cont>$5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkCSIT
Communicator
04-27-2014
01:39 AM
I seems able to resolve my query by configuring transforms.conf as below:
SOURCE_KEY=_raw
REGEX = (. * ?)< body \ >([\s\S] * )<\/ body \ >([\s\S] * ) \ < cont \ > ([\s\S] * )< \ / cont \ >([\s\S] *)
DEST_KEY=_raw
FORMAT=$1< body>###***#< /body>$3< cont>###< /cont>$5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jgedeon120
Contributor
04-20-2014
06:30 AM
<body>.+<\/body>|<cont>.+<\/cont>
A site that will help you test regex, http://www.regexr.com/
Get Updates on the Splunk Community!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
A Prelude to .conf25: Your Guide to Splunk University
Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
4 Ways the Splunk Community Helps You Prepare for .conf25
.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
