Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Speeding up XML searches

bhiley
Explorer
‎06-08-2011 05:01 PM

It seems I need to use 'xmlkvrecursive' to properly parse XML log files where the tags may contain many attributes. However this parsing is during the search, which is consequently v. slow.
How can I parse (using xmlkvrecursive or similar) at index time - then search on the tag or attribute names via the indexes ?

Example of current search :-

index=test1 sourcetype="mmsgw" | xmlkvrecursive | search ActivityLogRecord_Common-ServerID="mmsgw1.xxx.com" ActivityLogRecord_Common-UserID="999999999@h1.xxx.com"

A single data record typically looks like :-



















































































Tags (1)
Reply

lguinn2
Legend
‎06-08-2011 05:24 PM

I don't think there is any way to parse XML prior to indexing.

However, what might make your search run more quickly: does the value "mmsgw1.xxx.com" appear anywhere in the text other than the ActivityLogRecord_Common-ServerID? If this value does NOT appear anywhere else, then you could simply search

index=test1 sourcetype="mmsgw" mmsgw1.xxx.com

for example. Once you have retrieved only the needed events, then you could apply the xmlkvrecursive. This would probably be much faster, if you can eliminate a significant number of events in the initial search. And perhaps you don't need to parse the XML at all -- you only need to create the fields from the XML if you want to run searches, statistics or reports on the fields that are created by xmlkvrecursive.

Based on the example event, the following search is also valid

index=test1 sourcetype=mmsgw serverid="mmsgw1.xxx.com" userid="999999999"

and also doesn't appear to require the XML to be parsed. But of course, I don't really understand the data...

0 Karma
Reply

bhiley
Explorer
‎06-08-2011 05:44 PM

Seems slightly counter-intuitive to me to index before you parse but then I'm a newbie with Splunk. Your method certainly speeds up the search hugely. Many thanks.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...