Splunk Search

XML Field Extraction

Explorer

Hi,

Here's a sample of my XML data. I want to get the username. I tried a field alias, but that's not working, nor is field extraction. When I open the field extractor tool, the data is truncated after the caller_profile tag. When I look at the event, it's all there. It's only when I try to use the field extractor that it gets truncated.

props.conf:
[conf_cdr_xml]
TRUNCATE = 0
KV_MODE = xml

date sample:


1235551234-101
hostname.com
8000
20
1510329526
1510329534


1510329526
1510329534

true
true
false
false


1235551010
XML
Joe Boss
1235551010


1235551010

10.0.1.1

1235551234;conf=101;mod;tone=NO_SOUNDS
038fa0ce-c630-11e7-938f-b3cdceb36fa4
mod_sofia
public
sofia/internal/1235551010@10.10.1.1





0 Karma
1 Solution

SplunkTrust
SplunkTrust

@mwcooley, so by KV_MODE=xml not working do you mean Search Time Field discovery in smart/verbose mode is not working? The following table command does not work

<YourBaseSearch>
|  table *username

Have you also tried

<YourBaseSearch>
| spath
|  table *username

In case XML parsing is not working and you are able to see data with <username>1235551010</username>, then try the following rex command and see how it behaves:

<YourBaseSearch>
|  rex "<username>(?<username>[^\<]+)</username>"
|  table username
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma