Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Simplifying event displays

rdb_splunk
Explorer
‎12-13-2012 10:47 AM

Hi there,

I have XML logs that I bring into spunk. Unfortunately, there is far too much not required information for me to go through,

eg, an event will contain,

2 12/12/12 3:53:39.945 PM
2012.12.12 20:53:39.945 GMT1355345619945America/New_York02012.12.12 20:53:39.945 GMT135534561994546985burl-cap28996AvidLicenseServiceFINERDoing Overdue Cleanup task...42Overdue Cleanup Threadcom.avid.workgroup.license.service.provider.behaviorcom.avid.workgroup.license.service.provider.behavior.LicenseRequest$OverdueCleanupTaskrun

I really want to filter it down to

2012.12.12 20:53:39.945 GMTburl-cap2AvidLicenseServiceFINERDoing Overdue Cleanup task...<com.avid.workgroup.license.service.provider.behaviorcom.avid.workgroup.license.service.provider.behavior.LicenseRequest$OverdueCleanupTask<

As you can see, a lot less detail.

Anyone have any ideas - thanks

Tags (1)
0 Karma
Reply

Ayn
Legend
‎12-13-2012 02:27 PM

If you're just doing this because you want to browse through events more easily and don't want to actually lose any data, another route you could take is to extract the XML values to fields (have a look at the xmlkv and spath commands), and then use table to show only the fields in the XML events that you're interested in.

Reply

jonuwz
Influencer
‎12-13-2012 02:20 PM

Yep.

You can write a sed filter to alter the event before its indexed.
I assume this is what you want.
DISCLAIMER - the original event is lost for good, you can't get back the data you strip out.

Put this in your props.conf under a stanza that represents this sourcetype/source/whatever

change 'date|hostname|level|message' to be the list of fields you want to keep.

SEDCMD-reduce_xml = s/(?:(?!<record>)<((?!(?:date|hostname|level|message)>)[^>]+)>.*?<\/\1>)|<\/?record>//g

You'll need to restart splunk for the change to take effect

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...