I have XML log file in following format
I would like to search and replace the abov xml entry in the log file to ContractId, Name, IncurredDate
I have following entries in Log file
I would like to search and extract only the tag names .
For example output should be tag names comma separated
ContractId, Name, IncurredDate
ContractId, Name, Date
My search command replaces only first occurence of
Please let me know the rex command to extract tag names
Are you just trying to extract fields?
Have you found the
Substitution really doesn't seem to be the best approach here. Why not just extract the matches for the beginning of a tag into a new field, then join them back together if you want a single line?
| rex field=_raw max_match=50 "\<(?<keys>[A-Za-z]+)" | eval keys=mvjoin(keys,",")
If you're really that set on substitution for some reason, I suppose you could do something like:
| eval keys=_raw | rex field=keys mode=sed "s/<([A-Za-z]+).*?<\/\1>/\1,/g" | eval keys=substr(keys,1,len(keys)-1)
These are shown pulling from
_raw, which is the full event text - if the XML string is already in another field you'll need to adjust for that.
While working with
rex, if you need a reference on regular expression syntax, you might want to check
Ok. Trying to use substitution to blank out part of the string could work, but sounds like a more complicated approach than you need. Field extraction is likely to be easier. See edits above -- it's similar in principle to your other question at http://answers.splunk.com/questions/9505/filter-search-results
Yes i tried xmlkv and all other search commands in cheat sheet but nothing fits the bill. Look like i am running out of options.
Each entry in the log file is XML so i have to extract xml node names without worrying about its content all i need is node names.
The xml entry looks like this
All i need to extract is node names like ContractId, Name, IncurredDate.