Splunk Search

Search And Global Replace Like Function in Splunk ???

Path Finder

I have XML log file in following format

<ContractId>true</ContractId><Name name-type="Name">true</Name><IncurredDate>true</IncurredDate> 

I would like to search and replace the abov xml entry in the log file to ContractId, Name, IncurredDate

Tags (1)
0 Karma

Path Finder

How would i do the same for values meaning how to extract just the values instead of keys and then comma separate those values

0 Karma

Path Finder

the following sed command doesnt work
rex mode=sed s/>true./>/,/g
What am i missing?

0 Karma

Path Finder

I have following entries in Log file

truetruetrue

truetruetrue
I would like to search and extract only the tag names .
For example output should be tag names comma separated

ContractId, Name, IncurredDate
ContractId, Name, Date

My search command replaces only first occurence of so i tried something like rex mode=sed "s/find/replace/g" but even that didnt help
Please let me know the rex command to extract tag names

0 Karma

Motivator

Are you just trying to extract fields?

Have you found the xmlkv command?

In general, the Search Reference and Search Command Cheat Sheet are good places to start.


Update:

Substitution really doesn't seem to be the best approach here. Why not just extract the matches for the beginning of a tag into a new field, then join them back together if you want a single line?

| rex field=_raw max_match=50 "\<(?<keys>[A-Za-z]+)"
| eval keys=mvjoin(keys,",")

If you're really that set on substitution for some reason, I suppose you could do something like:

| eval keys=_raw
| rex field=keys mode=sed "s/<([A-Za-z]+).*?<\/\1>/\1,/g"
| eval keys=substr(keys,1,len(keys)-1)

These are shown pulling from _raw, which is the full event text - if the XML string is already in another field you'll need to adjust for that.

While working with rex, if you need a reference on regular expression syntax, you might want to check
http://www.regular-expressions.info/

0 Karma

Path Finder

How would i remove duplicate keys in eval keys=mvjoin(keys,",")

0 Karma

Path Finder

Thanks it works

0 Karma

Motivator

Ok. Trying to use substitution to blank out part of the string could work, but sounds like a more complicated approach than you need. Field extraction is likely to be easier. See edits above -- it's similar in principle to your other question at http://answers.splunk.com/questions/9505/filter-search-results

0 Karma

Path Finder

Yes i tried xmlkv and all other search commands in cheat sheet but nothing fits the bill. Look like i am running out of options.
Each entry in the log file is XML so i have to extract xml node names without worrying about its content all i need is node names.
The xml entry looks like this

truetruetrue

All i need to extract is node names like ContractId, Name, IncurredDate.

0 Karma

Motivator

I am not sure what you mean. Can you post an example output you're looking for?

0 Karma