Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search And Global Replace Like Function in Splunk ???

bansi
Path Finder
‎12-02-2010 06:52 PM

I have XML log file in following format

<ContractId>true</ContractId><Name name-type="Name">true</Name><IncurredDate>true</IncurredDate>

I would like to search and replace the abov xml entry in the log file to ContractId, Name, IncurredDate

Tags (1)
0 Karma
Reply

bansi
Path Finder
‎12-03-2010 09:43 PM

How would i do the same for values meaning how to extract just the values instead of keys and then comma separate those values

0 Karma
Reply

bansi
Path Finder
‎12-02-2010 08:43 PM

the following sed command doesnt work
rex mode=sed s/>true./>/,/g
What am i missing?

0 Karma
Reply

bansi
Path Finder
‎12-02-2010 08:32 PM

I have following entries in Log file

truetruetrue

truetruetrue
I would like to search and extract only the tag names .
For example output should be tag names comma separated

ContractId, Name, IncurredDate
ContractId, Name, Date

My search command replaces only first occurence of so i tried something like rex mode=sed "s/find/replace/g" but even that didnt help
Please let me know the rex command to extract tag names

0 Karma
Reply

southeringtonp
Motivator
‎12-02-2010 08:29 PM

Are you just trying to extract fields?

Have you found the xmlkv command?

In general, the Search Reference and Search Command Cheat Sheet are good places to start.

Update:

Substitution really doesn't seem to be the best approach here. Why not just extract the matches for the beginning of a tag into a new field, then join them back together if you want a single line?

| rex field=_raw max_match=50 "\<(?<keys>[A-Za-z]+)"
| eval keys=mvjoin(keys,",")

If you're really that set on substitution for some reason, I suppose you could do something like:

| eval keys=_raw
| rex field=keys mode=sed "s/<([A-Za-z]+).*?<\/\1>/\1,/g"
| eval keys=substr(keys,1,len(keys)-1)

These are shown pulling from _raw, which is the full event text - if the XML string is already in another field you'll need to adjust for that.

While working with rex, if you need a reference on regular expression syntax, you might want to check
http://www.regular-expressions.info/

0 Karma
Reply

bansi
Path Finder
‎12-21-2010 07:47 PM

How would i remove duplicate keys in eval keys=mvjoin(keys,",")

0 Karma
Reply

bansi
Path Finder
‎12-02-2010 09:43 PM

Thanks it works

0 Karma
Reply

southeringtonp
Motivator
‎12-02-2010 09:19 PM

Ok. Trying to use substitution to blank out part of the string could work, but sounds like a more complicated approach than you need. Field extraction is likely to be easier. See edits above -- it's similar in principle to your other question at http://answers.splunk.com/questions/9505/filter-search-results

0 Karma
Reply

bansi
Path Finder
‎12-02-2010 08:58 PM

Yes i tried xmlkv and all other search commands in cheat sheet but nothing fits the bill. Look like i am running out of options.
Each entry in the log file is XML so i have to extract xml node names without worrying about its content all i need is node names.
The xml entry looks like this

truetruetrue

All i need to extract is node names like ContractId, Name, IncurredDate.

0 Karma
Reply

ftk
Motivator
‎12-02-2010 08:04 PM

I am not sure what you mean. Can you post an example output you're looking for?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...