Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Key value field extraction from Cisco devices

marcluescher
Explorer
‎08-18-2020 07:46 AM

Hi there,

digging deeper into the REST API and XML parsing. When running an XML status command on our Ironport I get the following XML result displayed.

"<status build="phoebe 13.5.1-277" hostname="mv15int.xxxx.com" timestamp="20200818100104">
<birth_time timestamp="20200706100631 (42d 23h 54m 33s)"/>
<last_counter_reset timestamp=""/>
<system status="online"/>
<oldest_message secs="3" mid="42741174"/>
<features>
<feature name="External Threat Feeds" time_remaining="11008734"/>
<feature name="Sophos" time_remaining="11008734"/>
<feature name="File Analysis" time_remaining="11008734"/>
<feature name="Bounce Verification" time_remaining="9712734"/>
<feature name="IronPort Anti-Spam" time_remaining="11008734"/>
<feature name="IronPort Email Encryption" time_remaining="11008734"/>
<feature name="Data Loss Prevention" time_remaining="11008734"/>
<feature name="File Reputation" time_remaining="11008734"/>
<feature name="Incoming Mail Handling" time_remaining="11077663"/>
<feature name="Outbreak Filters" time_remaining="11008734"/>
</features>
<counters>
<counter name="inj_msgs" reset="3890935" uptime="2294122" lifetime="3890935"/>
<counter name="inj_recips" reset="4939054" uptime="2698122" lifetime="4939054"/>
<counter name="gen_bounce_recips" reset="87501" uptime="71162" lifetime="87501"/>
<counter name="rejected_recips" reset="3418" uptime="1075" lifetime="3418"/>
<counter name="dropped_msgs" reset="0" uptime="0" lifetime="0"/>
<counter name="soft_bounced_evts" reset="1631" uptime="1451" lifetime="1631"/>
<counter name="completed_recips" reset="9789961" uptime="5324578" lifetime="9789961"/>
<counter name="hard_bounced_recips" reset="157862" uptime="134939" lifetime="157862"/>
<counter name="dns_hard_bounced_recips" reset="10635" uptime="5733" lifetime="10635"/>
<counter name="5xx_hard_bounced_recips" reset="147227" uptime="129206" lifetime="147227"/>
<counter name="filter_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="expired_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="other_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="delivered_recips" reset="9568380" uptime="5147976" lifetime="9568380"/>
<counter name="deleted_recips" reset="63719" uptime="41663" lifetime="63719"/>
<counter name="global_unsub_hits" reset="0" uptime="0" lifetime="0"/>
</counters>
<current_ids message_id="42741194" injection_conn_id="3948223" delivery_conn_id="1609988"/>
<rates>
<rate name="inj_msgs" last_1_min="3121" last_5_min="5078" last_15_min="6575"/>
<rate name="inj_recips" last_1_min="4795" last_5_min="7475" last_15_min="9384"/>
<rate name="soft_bounced_evts" last_1_min="0" last_5_min="12" last_15_min="4"/>
<rate name="completed_recips" last_1_min="9487" last_5_min="14846" last_15_min="18795"/>
<rate name="hard_bounced_recips" last_1_min="180" last_5_min="48" last_15_min="34"/>
<rate name="delivered_recips" last_1_min="9007" last_5_min="12997" last_15_min="16389"/>
</rates>
<gauges>
<gauge name="ram_utilization" current="12"/>
<gauge name="total_utilization" current="7"/>
<gauge name="cpu_utilization" current="3"/>
<gauge name="av_utilization" current="0"/>
<gauge name="case_utilization" current="0"/>
<gauge name="bm_utilization" current="0"/>
<gauge name="disk_utilization" current="0"/>
<gauge name="resource_conservation" current="0"/>
<gauge name="log_used" current="10"/>
<gauge name="log_available" current="333G"/>
<gauge name="conn_in" current="4"/>
<gauge name="conn_out" current="6"/>
<gauge name="active_recips" current="6"/>
<gauge name="unattempted_recips" current="6"/>
<gauge name="attempted_recips" current="0"/>
<gauge name="msgs_in_work_queue" current="0"/>
<gauge name="dests_in_memory" current="97"/>
<gauge name="kbytes_used" current="94"/>
<gauge name="kbytes_free" current="71303074"/>
<gauge name="msgs_in_policy_virus_outbreak_quarantine" current="0"/>
<gauge name="kbytes_in_policy_virus_outbreak_quarantine" current="0"/>
<gauge name="reporting_utilization" current="1"/>
<gauge name="quarantine_utilization" current="1"/>
</gauges>
</status>"

I tried using some examples posted here adding the xmldata into a XMLData field and then use spath to extract the data in question but it tells me the XMLdata content is not properly formatted.

 

What am i missing here ?

 

-marc

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

marcluescher
Explorer
‎08-18-2020 08:06 AM

next attempt:

| makeresults
| eval xmlData="<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<status build="phoebe 13.5.1-277" hostname="mv11.xxxxxx.com" timestamp="20200818110039">
<birth_time timestamp="20200814174037 (3d 17h 20m 2s)"/>
<last_counter_reset timestamp=""/>
<system status="online" />
<oldest_message secs="245375" mid="209460215" />
<features>
<feature name="External Threat Feeds" time_remaining="59907559" />
<feature name="Sophos" time_remaining="11005159" />
<feature name="File Analysis" time_remaining="11005159" />
<feature name="Bounce Verification" time_remaining="58611559" />
<feature name="IronPort Anti-Spam" time_remaining="11005159" />
<feature name="IronPort Email Encryption" time_remaining="11005159" />
<feature name="Data Loss Prevention" time_remaining="11005159" />
<feature name="Intelligent Multi-Scan" time_remaining="59907559" />
<feature name="File Reputation" time_remaining="11005159" />
<feature name="Incoming Mail Handling" time_remaining="59951579" />
<feature name="Outbreak Filters" time_remaining="11005159" />
</features>
<counters>
<counter name="inj_msgs"
reset="44604624"
uptime="175356"
lifetime="44604624" />
<counter name="inj_recips"
reset="48330545"
uptime="192130"
lifetime="48330545" />
<counter name="gen_bounce_recips"
reset="1558902"
uptime="0"
lifetime="1558902" />
<counter name="rejected_recips"
reset="40744987"
uptime="47166"
lifetime="40744987" />
<counter name="dropped_msgs"
reset="2826803"
uptime="25"
lifetime="2826803" />
<counter name="soft_bounced_evts"
reset="339450"
uptime="385"
lifetime="339450" />
<counter name="completed_recips"
reset="114031458"
uptime="478318"
lifetime="114031458" />
<counter name="hard_bounced_recips"
reset="1835386"
uptime="3733"
lifetime="1835386" />
<counter name="dns_hard_bounced_recips"
reset="60940"
uptime="50"
lifetime="60940" />
<counter name="5xx_hard_bounced_recips"
reset="1701075"
uptime="3095"
lifetime="1701075" />
<counter name="filter_hard_bounced_recips"
reset="0"
uptime="0"
lifetime="0" />
<counter name="expired_hard_bounced_recips"
reset="73371"
uptime="588"
lifetime="73371" />
<counter name="other_hard_bounced_recips"
reset="0"
uptime="0"
lifetime="0" />
<counter name="delivered_recips"
reset="112161130"
uptime="474584"
lifetime="112161130" />
<counter name="deleted_recips"
reset="34942"
uptime="1"
lifetime="34942" />
<counter name="global_unsub_hits"
reset="0"
uptime="0"
lifetime="0" />
</counters>
<current_ids
message_id="210101094"
injection_conn_id="58102268"
delivery_conn_id="28016595" />
<rates>
<rate name="inj_msgs"
last_1_min="16613"
last_5_min="12254"
last_15_min="8450" />
<rate name="inj_recips"
last_1_min="16879"
last_5_min="12518"
last_15_min="9044" />
<rate name="soft_bounced_evts"
last_1_min="0"
last_5_min="12"
last_15_min="12" />
<rate name="completed_recips"
last_1_min="36682"
last_5_min="40161"
last_15_min="39231" />
<rate name="hard_bounced_recips"
last_1_min="0"
last_5_min="80"
last_15_min="214" />
<rate name="delivered_recips"
last_1_min="36682"
last_5_min="40080"
last_15_min="39016" />
</rates>
<gauges>
<gauge name="ram_utilization" current="9" />
<gauge name="total_utilization" current="45" />
<gauge name="cpu_utilization" current="84" />
<gauge name="av_utilization" current="0" />
<gauge name="case_utilization" current="0" />
<gauge name="bm_utilization" current="0" />
<gauge name="disk_utilization" current="2" />
<gauge name="resource_conservation" current="0" />
<gauge name="log_used" current="26" />
<gauge name="log_available" current="269G" />
<gauge name="conn_in" current="20" />
<gauge name="conn_out" current="12" />
<gauge name="active_recips" current="214" />
<gauge name="unattempted_recips" current="210" />
<gauge name="attempted_recips" current="4" />
<gauge name="msgs_in_work_queue" current="59" />
<gauge name="dests_in_memory" current="88" />
<gauge name="kbytes_used" current="53731" />
<gauge name="kbytes_free" current="71249437" />
<gauge name="msgs_in_policy_virus_outbreak_quarantine" current="44" />
<gauge name="kbytes_in_policy_virus_outbreak_quarantine" current="1210" />
<gauge name="reporting_utilization" current="16" />
<gauge name="quarantine_utilization" current="15" />
</gauges>
</status>"

| spath input=xmlData output=Type build
| spath input=xmlData output=Host hostname
| spath input=xmlData output=Version build
| spath input=xmlData output=Status system status
| table Type Host Version Status

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...