Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: field extraction from raw data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field extraction from raw data
Hi There,
I have below data that i will like to extract as key-value pair from a custom event source i have created.
for example i have
sourcetype=DBData
and in each result i have below data that i will like to extract. the data is in XML format
< Name > username1 < /Name >
< Name > username2 < /Name >
< Name > username3 < /Name >
< Name > username3 < /Name >
I want to call Field Name as UersName and value as per above from the data.
I have tried the Interactive Field Extractor for this source type and added bunch of values as shown above but when i click on generate it give me below errors. I am not good at all with regex as of now. This sounds very simple task i am not sure why IFX is not able to take care of this.
Invalid search job/offset specified. [HTTP 404] https://127.0.0.1:8089/services/search/jobs/1367438277.12976; [{'text': 'Unknown sid.', 'type': 'FATAL', 'code': None}]. Defaulting to using values from the first result of the search string: ""
No regex could be learned. Try providing different examples or restriction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about:
<Name>(?<UserName>[^<]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your data formatted exactly as above, with spaces after and before the tags? In that case you need to change the regex accordingly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry for late reply, but it did not work..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jatin_patel, using the field extractor is the wrong way to go with this data type. Here you will want to use props.conf file for advanced configuration.
#props.conf
[DBData]
KV_MODE = xml #xml : automatically extracts fields from XML data
FIELDALIAS-Name = Name AS UserName #Use this to apply aliases to a field. The original field is not removed. This just means that the original field can be searched on using any of its aliases.
Read through the props.conf for more information. Propsconf
This should get your started and or help. Dont forget to vote up and accept anwsers that help.
Cheers,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried but that is creating too many unwanted fields like over 5000. I only need few fields from the XML data. Search also becomes pretty slow.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
