Splunk Search

Search And Global Replace Like Function in Splunk ???

bansi
Path Finder

I have XML log file in following format

<ContractId>true</ContractId><Name name-type="Name">true</Name><IncurredDate>true</IncurredDate> 

I would like to search and replace the abov xml entry in the log file to ContractId, Name, IncurredDate

Tags (1)
0 Karma

bansi
Path Finder

How would i do the same for values meaning how to extract just the values instead of keys and then comma separate those values

0 Karma

bansi
Path Finder

the following sed command doesnt work
rex mode=sed s/>true./>/,/g
What am i missing?

0 Karma

bansi
Path Finder

I have following entries in Log file

truetruetrue

truetruetrue
I would like to search and extract only the tag names .
For example output should be tag names comma separated

ContractId, Name, IncurredDate
ContractId, Name, Date

My search command replaces only first occurence of so i tried something like rex mode=sed "s/find/replace/g" but even that didnt help
Please let me know the rex command to extract tag names

0 Karma

southeringtonp
Motivator

Are you just trying to extract fields?

Have you found the xmlkv command?

In general, the Search Reference and Search Command Cheat Sheet are good places to start.


Update:

Substitution really doesn't seem to be the best approach here. Why not just extract the matches for the beginning of a tag into a new field, then join them back together if you want a single line?

| rex field=_raw max_match=50 "\<(?<keys>[A-Za-z]+)"
| eval keys=mvjoin(keys,",")

If you're really that set on substitution for some reason, I suppose you could do something like:

| eval keys=_raw
| rex field=keys mode=sed "s/<([A-Za-z]+).*?<\/\1>/\1,/g"
| eval keys=substr(keys,1,len(keys)-1)

These are shown pulling from _raw, which is the full event text - if the XML string is already in another field you'll need to adjust for that.

While working with rex, if you need a reference on regular expression syntax, you might want to check
http://www.regular-expressions.info/

0 Karma

bansi
Path Finder

How would i remove duplicate keys in eval keys=mvjoin(keys,",")

0 Karma

bansi
Path Finder

Thanks it works

0 Karma

southeringtonp
Motivator

Ok. Trying to use substitution to blank out part of the string could work, but sounds like a more complicated approach than you need. Field extraction is likely to be easier. See edits above -- it's similar in principle to your other question at http://answers.splunk.com/questions/9505/filter-search-results

0 Karma

bansi
Path Finder

Yes i tried xmlkv and all other search commands in cheat sheet but nothing fits the bill. Look like i am running out of options.
Each entry in the log file is XML so i have to extract xml node names without worrying about its content all i need is node names.
The xml entry looks like this

truetruetrue

All i need to extract is node names like ContractId, Name, IncurredDate.

0 Karma

ftk
Motivator

I am not sure what you mean. Can you post an example output you're looking for?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...