Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Key value field extraction from Cisco devices

marcluescher
Explorer
‎08-18-2020 07:46 AM

Hi there,

digging deeper into the REST API and XML parsing. When running an XML status command on our Ironport I get the following XML result displayed.

"<status build="phoebe 13.5.1-277" hostname="mv15int.xxxx.com" timestamp="20200818100104">
<birth_time timestamp="20200706100631 (42d 23h 54m 33s)"/>
<last_counter_reset timestamp=""/>
<system status="online"/>
<oldest_message secs="3" mid="42741174"/>
<features>
<feature name="External Threat Feeds" time_remaining="11008734"/>
<feature name="Sophos" time_remaining="11008734"/>
<feature name="File Analysis" time_remaining="11008734"/>
<feature name="Bounce Verification" time_remaining="9712734"/>
<feature name="IronPort Anti-Spam" time_remaining="11008734"/>
<feature name="IronPort Email Encryption" time_remaining="11008734"/>
<feature name="Data Loss Prevention" time_remaining="11008734"/>
<feature name="File Reputation" time_remaining="11008734"/>
<feature name="Incoming Mail Handling" time_remaining="11077663"/>
<feature name="Outbreak Filters" time_remaining="11008734"/>
</features>
<counters>
<counter name="inj_msgs" reset="3890935" uptime="2294122" lifetime="3890935"/>
<counter name="inj_recips" reset="4939054" uptime="2698122" lifetime="4939054"/>
<counter name="gen_bounce_recips" reset="87501" uptime="71162" lifetime="87501"/>
<counter name="rejected_recips" reset="3418" uptime="1075" lifetime="3418"/>
<counter name="dropped_msgs" reset="0" uptime="0" lifetime="0"/>
<counter name="soft_bounced_evts" reset="1631" uptime="1451" lifetime="1631"/>
<counter name="completed_recips" reset="9789961" uptime="5324578" lifetime="9789961"/>
<counter name="hard_bounced_recips" reset="157862" uptime="134939" lifetime="157862"/>
<counter name="dns_hard_bounced_recips" reset="10635" uptime="5733" lifetime="10635"/>
<counter name="5xx_hard_bounced_recips" reset="147227" uptime="129206" lifetime="147227"/>
<counter name="filter_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="expired_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="other_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="delivered_recips" reset="9568380" uptime="5147976" lifetime="9568380"/>
<counter name="deleted_recips" reset="63719" uptime="41663" lifetime="63719"/>
<counter name="global_unsub_hits" reset="0" uptime="0" lifetime="0"/>
</counters>
<current_ids message_id="42741194" injection_conn_id="3948223" delivery_conn_id="1609988"/>
<rates>
<rate name="inj_msgs" last_1_min="3121" last_5_min="5078" last_15_min="6575"/>
<rate name="inj_recips" last_1_min="4795" last_5_min="7475" last_15_min="9384"/>
<rate name="soft_bounced_evts" last_1_min="0" last_5_min="12" last_15_min="4"/>
<rate name="completed_recips" last_1_min="9487" last_5_min="14846" last_15_min="18795"/>
<rate name="hard_bounced_recips" last_1_min="180" last_5_min="48" last_15_min="34"/>
<rate name="delivered_recips" last_1_min="9007" last_5_min="12997" last_15_min="16389"/>
</rates>
<gauges>
<gauge name="ram_utilization" current="12"/>
<gauge name="total_utilization" current="7"/>
<gauge name="cpu_utilization" current="3"/>
<gauge name="av_utilization" current="0"/>
<gauge name="case_utilization" current="0"/>
<gauge name="bm_utilization" current="0"/>
<gauge name="disk_utilization" current="0"/>
<gauge name="resource_conservation" current="0"/>
<gauge name="log_used" current="10"/>
<gauge name="log_available" current="333G"/>
<gauge name="conn_in" current="4"/>
<gauge name="conn_out" current="6"/>
<gauge name="active_recips" current="6"/>
<gauge name="unattempted_recips" current="6"/>
<gauge name="attempted_recips" current="0"/>
<gauge name="msgs_in_work_queue" current="0"/>
<gauge name="dests_in_memory" current="97"/>
<gauge name="kbytes_used" current="94"/>
<gauge name="kbytes_free" current="71303074"/>
<gauge name="msgs_in_policy_virus_outbreak_quarantine" current="0"/>
<gauge name="kbytes_in_policy_virus_outbreak_quarantine" current="0"/>
<gauge name="reporting_utilization" current="1"/>
<gauge name="quarantine_utilization" current="1"/>
</gauges>
</status>"

I tried using some examples posted here adding the xmldata into a XMLData field and then use spath to extract the data in question but it tells me the XMLdata content is not properly formatted.

 

What am i missing here ?

 

-marc

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

marcluescher
Explorer
‎08-18-2020 08:06 AM

next attempt:

| makeresults
| eval xmlData="<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<status build="phoebe 13.5.1-277" hostname="mv11.xxxxxx.com" timestamp="20200818110039">
<birth_time timestamp="20200814174037 (3d 17h 20m 2s)"/>
<last_counter_reset timestamp=""/>
<system status="online" />
<oldest_message secs="245375" mid="209460215" />
<features>
<feature name="External Threat Feeds" time_remaining="59907559" />
<feature name="Sophos" time_remaining="11005159" />
<feature name="File Analysis" time_remaining="11005159" />
<feature name="Bounce Verification" time_remaining="58611559" />
<feature name="IronPort Anti-Spam" time_remaining="11005159" />
<feature name="IronPort Email Encryption" time_remaining="11005159" />
<feature name="Data Loss Prevention" time_remaining="11005159" />
<feature name="Intelligent Multi-Scan" time_remaining="59907559" />
<feature name="File Reputation" time_remaining="11005159" />
<feature name="Incoming Mail Handling" time_remaining="59951579" />
<feature name="Outbreak Filters" time_remaining="11005159" />
</features>
<counters>
<counter name="inj_msgs"
reset="44604624"
uptime="175356"
lifetime="44604624" />
<counter name="inj_recips"
reset="48330545"
uptime="192130"
lifetime="48330545" />
<counter name="gen_bounce_recips"
reset="1558902"
uptime="0"
lifetime="1558902" />
<counter name="rejected_recips"
reset="40744987"
uptime="47166"
lifetime="40744987" />
<counter name="dropped_msgs"
reset="2826803"
uptime="25"
lifetime="2826803" />
<counter name="soft_bounced_evts"
reset="339450"
uptime="385"
lifetime="339450" />
<counter name="completed_recips"
reset="114031458"
uptime="478318"
lifetime="114031458" />
<counter name="hard_bounced_recips"
reset="1835386"
uptime="3733"
lifetime="1835386" />
<counter name="dns_hard_bounced_recips"
reset="60940"
uptime="50"
lifetime="60940" />
<counter name="5xx_hard_bounced_recips"
reset="1701075"
uptime="3095"
lifetime="1701075" />
<counter name="filter_hard_bounced_recips"
reset="0"
uptime="0"
lifetime="0" />
<counter name="expired_hard_bounced_recips"
reset="73371"
uptime="588"
lifetime="73371" />
<counter name="other_hard_bounced_recips"
reset="0"
uptime="0"
lifetime="0" />
<counter name="delivered_recips"
reset="112161130"
uptime="474584"
lifetime="112161130" />
<counter name="deleted_recips"
reset="34942"
uptime="1"
lifetime="34942" />
<counter name="global_unsub_hits"
reset="0"
uptime="0"
lifetime="0" />
</counters>
<current_ids
message_id="210101094"
injection_conn_id="58102268"
delivery_conn_id="28016595" />
<rates>
<rate name="inj_msgs"
last_1_min="16613"
last_5_min="12254"
last_15_min="8450" />
<rate name="inj_recips"
last_1_min="16879"
last_5_min="12518"
last_15_min="9044" />
<rate name="soft_bounced_evts"
last_1_min="0"
last_5_min="12"
last_15_min="12" />
<rate name="completed_recips"
last_1_min="36682"
last_5_min="40161"
last_15_min="39231" />
<rate name="hard_bounced_recips"
last_1_min="0"
last_5_min="80"
last_15_min="214" />
<rate name="delivered_recips"
last_1_min="36682"
last_5_min="40080"
last_15_min="39016" />
</rates>
<gauges>
<gauge name="ram_utilization" current="9" />
<gauge name="total_utilization" current="45" />
<gauge name="cpu_utilization" current="84" />
<gauge name="av_utilization" current="0" />
<gauge name="case_utilization" current="0" />
<gauge name="bm_utilization" current="0" />
<gauge name="disk_utilization" current="2" />
<gauge name="resource_conservation" current="0" />
<gauge name="log_used" current="26" />
<gauge name="log_available" current="269G" />
<gauge name="conn_in" current="20" />
<gauge name="conn_out" current="12" />
<gauge name="active_recips" current="214" />
<gauge name="unattempted_recips" current="210" />
<gauge name="attempted_recips" current="4" />
<gauge name="msgs_in_work_queue" current="59" />
<gauge name="dests_in_memory" current="88" />
<gauge name="kbytes_used" current="53731" />
<gauge name="kbytes_free" current="71249437" />
<gauge name="msgs_in_policy_virus_outbreak_quarantine" current="44" />
<gauge name="kbytes_in_policy_virus_outbreak_quarantine" current="1210" />
<gauge name="reporting_utilization" current="16" />
<gauge name="quarantine_utilization" current="15" />
</gauges>
</status>"

| spath input=xmlData output=Type build
| spath input=xmlData output=Host hostname
| spath input=xmlData output=Version build
| spath input=xmlData output=Status system status
| table Type Host Version Status

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...