i want to remove the header tag in the xml during search time as it was not properly quoted also,
please help with the command
Have to remove this tag from data durring search time
<?xml version=1.0 encoding=utf-8?>
<?xml version=1.0 encoding=utf-8?><Material><ID>1</ID><Equip>001</Equip><Date>20201009</Date><Posting>20201009</Posting>
Hello @DataOrg
You can have your required part of data during search time by adding below configuration in props.conf.
[YouR_stanZa]
EXTRACT-myData = ^[^>\n]*>(?P<myData>.+)
If in case you want it to be at index time you can use below configuration also.
[YouR_stanZa]
SEDCMD-a=s/(^[^>\n]*>)//g
I hope this will help you. 🙂
Please let me know if you have some special scenario.
Happy Splunking
🙂
index=_internal | head 1 | fields _raw _time | eval _raw="<?xml version=1.0 encoding=utf-8?><Material><ID>1</ID><Equip>001</Equip><Date>20201009</Date><Posting>20201009</Posting>" | xmlkv
how about this?
I dont need transformation, i just need to remove the header
That's what the mode=sed does in my response
| rex mode=sed "s/\<\?xml version=1\.0 encoding=utf-8\?\>//g"
i need to remove only the xml header but i need the <ProductionPerformance> tag
< xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401>
<ProductionPerformance xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401>
index=_internal | head 1 | fields _raw _time | eval _raw="<ProductionPerformance xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401>"
| rex mode=sed "s/xmlns.*>/>/"
@to4kawa it removes other upcoming data tags also, i just want to remove xmls content from the <ProductionPerformance> tag
Input event:
<EventData><ProductionPerformance xmlns:xsd=http://www.w3.org/2001/XMLSchema xmlns:Extended=http://www.wbf.org/xml/B2MML-V0401-AllExtensions xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xmlns=http://www.wbf.org/xml/B2MML-V0401></ProductionPerformance>
<date>21/1/2020</date>
<Message>Hello</Message>
</EventData>
Output i want as
<EventData><ProductionPerformance></ProductionPerformance>
<date>21/1/2020</date>
<Message>Hello</Message>
</EventData>
| rex mode=sed "s/\sxmlns(|:\w+)=[^\s\>]+//g"