Splunk Search

Key value field extraction from Cisco devices

marcluescher
Engager

Hi there,

digging deeper into the REST API and XML parsing. When running an XML status command on our Ironport I get the following XML result displayed.

"<status build="phoebe 13.5.1-277" hostname="mv15int.xxxx.com" timestamp="20200818100104">
<birth_time timestamp="20200706100631 (42d 23h 54m 33s)"/>
<last_counter_reset timestamp=""/>
<system status="online"/>
<oldest_message secs="3" mid="42741174"/>
<features>
<feature name="External Threat Feeds" time_remaining="11008734"/>
<feature name="Sophos" time_remaining="11008734"/>
<feature name="File Analysis" time_remaining="11008734"/>
<feature name="Bounce Verification" time_remaining="9712734"/>
<feature name="IronPort Anti-Spam" time_remaining="11008734"/>
<feature name="IronPort Email Encryption" time_remaining="11008734"/>
<feature name="Data Loss Prevention" time_remaining="11008734"/>
<feature name="File Reputation" time_remaining="11008734"/>
<feature name="Incoming Mail Handling" time_remaining="11077663"/>
<feature name="Outbreak Filters" time_remaining="11008734"/>
</features>
<counters>
<counter name="inj_msgs" reset="3890935" uptime="2294122" lifetime="3890935"/>
<counter name="inj_recips" reset="4939054" uptime="2698122" lifetime="4939054"/>
<counter name="gen_bounce_recips" reset="87501" uptime="71162" lifetime="87501"/>
<counter name="rejected_recips" reset="3418" uptime="1075" lifetime="3418"/>
<counter name="dropped_msgs" reset="0" uptime="0" lifetime="0"/>
<counter name="soft_bounced_evts" reset="1631" uptime="1451" lifetime="1631"/>
<counter name="completed_recips" reset="9789961" uptime="5324578" lifetime="9789961"/>
<counter name="hard_bounced_recips" reset="157862" uptime="134939" lifetime="157862"/>
<counter name="dns_hard_bounced_recips" reset="10635" uptime="5733" lifetime="10635"/>
<counter name="5xx_hard_bounced_recips" reset="147227" uptime="129206" lifetime="147227"/>
<counter name="filter_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="expired_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="other_hard_bounced_recips" reset="0" uptime="0" lifetime="0"/>
<counter name="delivered_recips" reset="9568380" uptime="5147976" lifetime="9568380"/>
<counter name="deleted_recips" reset="63719" uptime="41663" lifetime="63719"/>
<counter name="global_unsub_hits" reset="0" uptime="0" lifetime="0"/>
</counters>
<current_ids message_id="42741194" injection_conn_id="3948223" delivery_conn_id="1609988"/>
<rates>
<rate name="inj_msgs" last_1_min="3121" last_5_min="5078" last_15_min="6575"/>
<rate name="inj_recips" last_1_min="4795" last_5_min="7475" last_15_min="9384"/>
<rate name="soft_bounced_evts" last_1_min="0" last_5_min="12" last_15_min="4"/>
<rate name="completed_recips" last_1_min="9487" last_5_min="14846" last_15_min="18795"/>
<rate name="hard_bounced_recips" last_1_min="180" last_5_min="48" last_15_min="34"/>
<rate name="delivered_recips" last_1_min="9007" last_5_min="12997" last_15_min="16389"/>
</rates>
<gauges>
<gauge name="ram_utilization" current="12"/>
<gauge name="total_utilization" current="7"/>
<gauge name="cpu_utilization" current="3"/>
<gauge name="av_utilization" current="0"/>
<gauge name="case_utilization" current="0"/>
<gauge name="bm_utilization" current="0"/>
<gauge name="disk_utilization" current="0"/>
<gauge name="resource_conservation" current="0"/>
<gauge name="log_used" current="10"/>
<gauge name="log_available" current="333G"/>
<gauge name="conn_in" current="4"/>
<gauge name="conn_out" current="6"/>
<gauge name="active_recips" current="6"/>
<gauge name="unattempted_recips" current="6"/>
<gauge name="attempted_recips" current="0"/>
<gauge name="msgs_in_work_queue" current="0"/>
<gauge name="dests_in_memory" current="97"/>
<gauge name="kbytes_used" current="94"/>
<gauge name="kbytes_free" current="71303074"/>
<gauge name="msgs_in_policy_virus_outbreak_quarantine" current="0"/>
<gauge name="kbytes_in_policy_virus_outbreak_quarantine" current="0"/>
<gauge name="reporting_utilization" current="1"/>
<gauge name="quarantine_utilization" current="1"/>
</gauges>
</status>"

I tried using some examples posted here adding the xmldata into a XMLData field and then use spath to extract the data in question but it tells me the XMLdata content is not properly formatted.

 

What am i missing here ?

 

-marc

 

Labels (1)
Tags (1)
0 Karma

marcluescher
Engager

next attempt:

| makeresults
| eval xmlData="<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<status build="phoebe 13.5.1-277" hostname="mv11.xxxxxx.com" timestamp="20200818110039">
<birth_time timestamp="20200814174037 (3d 17h 20m 2s)"/>
<last_counter_reset timestamp=""/>
<system status="online" />
<oldest_message secs="245375" mid="209460215" />
<features>
<feature name="External Threat Feeds" time_remaining="59907559" />
<feature name="Sophos" time_remaining="11005159" />
<feature name="File Analysis" time_remaining="11005159" />
<feature name="Bounce Verification" time_remaining="58611559" />
<feature name="IronPort Anti-Spam" time_remaining="11005159" />
<feature name="IronPort Email Encryption" time_remaining="11005159" />
<feature name="Data Loss Prevention" time_remaining="11005159" />
<feature name="Intelligent Multi-Scan" time_remaining="59907559" />
<feature name="File Reputation" time_remaining="11005159" />
<feature name="Incoming Mail Handling" time_remaining="59951579" />
<feature name="Outbreak Filters" time_remaining="11005159" />
</features>
<counters>
<counter name="inj_msgs"
reset="44604624"
uptime="175356"
lifetime="44604624" />
<counter name="inj_recips"
reset="48330545"
uptime="192130"
lifetime="48330545" />
<counter name="gen_bounce_recips"
reset="1558902"
uptime="0"
lifetime="1558902" />
<counter name="rejected_recips"
reset="40744987"
uptime="47166"
lifetime="40744987" />
<counter name="dropped_msgs"
reset="2826803"
uptime="25"
lifetime="2826803" />
<counter name="soft_bounced_evts"
reset="339450"
uptime="385"
lifetime="339450" />
<counter name="completed_recips"
reset="114031458"
uptime="478318"
lifetime="114031458" />
<counter name="hard_bounced_recips"
reset="1835386"
uptime="3733"
lifetime="1835386" />
<counter name="dns_hard_bounced_recips"
reset="60940"
uptime="50"
lifetime="60940" />
<counter name="5xx_hard_bounced_recips"
reset="1701075"
uptime="3095"
lifetime="1701075" />
<counter name="filter_hard_bounced_recips"
reset="0"
uptime="0"
lifetime="0" />
<counter name="expired_hard_bounced_recips"
reset="73371"
uptime="588"
lifetime="73371" />
<counter name="other_hard_bounced_recips"
reset="0"
uptime="0"
lifetime="0" />
<counter name="delivered_recips"
reset="112161130"
uptime="474584"
lifetime="112161130" />
<counter name="deleted_recips"
reset="34942"
uptime="1"
lifetime="34942" />
<counter name="global_unsub_hits"
reset="0"
uptime="0"
lifetime="0" />
</counters>
<current_ids
message_id="210101094"
injection_conn_id="58102268"
delivery_conn_id="28016595" />
<rates>
<rate name="inj_msgs"
last_1_min="16613"
last_5_min="12254"
last_15_min="8450" />
<rate name="inj_recips"
last_1_min="16879"
last_5_min="12518"
last_15_min="9044" />
<rate name="soft_bounced_evts"
last_1_min="0"
last_5_min="12"
last_15_min="12" />
<rate name="completed_recips"
last_1_min="36682"
last_5_min="40161"
last_15_min="39231" />
<rate name="hard_bounced_recips"
last_1_min="0"
last_5_min="80"
last_15_min="214" />
<rate name="delivered_recips"
last_1_min="36682"
last_5_min="40080"
last_15_min="39016" />
</rates>
<gauges>
<gauge name="ram_utilization" current="9" />
<gauge name="total_utilization" current="45" />
<gauge name="cpu_utilization" current="84" />
<gauge name="av_utilization" current="0" />
<gauge name="case_utilization" current="0" />
<gauge name="bm_utilization" current="0" />
<gauge name="disk_utilization" current="2" />
<gauge name="resource_conservation" current="0" />
<gauge name="log_used" current="26" />
<gauge name="log_available" current="269G" />
<gauge name="conn_in" current="20" />
<gauge name="conn_out" current="12" />
<gauge name="active_recips" current="214" />
<gauge name="unattempted_recips" current="210" />
<gauge name="attempted_recips" current="4" />
<gauge name="msgs_in_work_queue" current="59" />
<gauge name="dests_in_memory" current="88" />
<gauge name="kbytes_used" current="53731" />
<gauge name="kbytes_free" current="71249437" />
<gauge name="msgs_in_policy_virus_outbreak_quarantine" current="44" />
<gauge name="kbytes_in_policy_virus_outbreak_quarantine" current="1210" />
<gauge name="reporting_utilization" current="16" />
<gauge name="quarantine_utilization" current="15" />
</gauges>
</status>"

| spath input=xmlData output=Type build
| spath input=xmlData output=Host hostname
| spath input=xmlData output=Version build
| spath input=xmlData output=Status system status
| table Type Host Version Status

0 Karma