×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
RickH
New Member
Member since: ‎05-09-2016
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-09-2016
View All

Re: Parsing oddly formatted XML (NetApp log)

by in Dashboards & Visualizations
‎05-08-2017 01:22 PM
‎05-08-2017 01:22 PM
Thanks, I'll try spath out next. I am able to get some meaningful data out with xmlkv & rex (below). xmlkv gets some of the fields and the rex grabs a few more. My preference is to extract at index time so that I only store the fields I care about, but still researching - haven't figured that out yet. index=netapp | xmlkv | search EventName="*" |rex "\<Data Name\=\"ObjectName\"\>(?<file>.*?)\<\/Data\>" | rex "\<Data Name\=\"OldPath\"\>(?<oldfile>.*?)\<\/Data\>" | rex "\<Data Name\=\"NewPath\"\>(?<newfile>.*?)\<\/Data\>" |table _time, EventName, file, oldfile, newfile ... View more

Parsing oddly formatted XML (NetApp log)

by in Dashboards & Visualizations
‎05-08-2017 04:16 AM
‎05-08-2017 04:16 AM
Hello, I'm trying to parse a XML file generated by NetApp security auditing. I'm able to get it ingested, but it's just a string, so it's hard for the consumers to decode. The XML itself is confusingly formatted, I'm baffled on how to parse. I wouldn't mind extracting the key/values and dumping the raw message. My props is: NO_BINARY_CHECK = true category = Custom description = netapp disabled = false pulldown_type = true BREAK_ONLY_BEFORE = ^<Event> KV_MODE = xml TIME_PREFIX = TimeCreated SystemTime\= The data looks like this(except all run together - no line breaks): <Event> <System> <Provider Name="Netapp-Security-Auditing"/> <EventID>4656</EventID> <EventName>Open Object</EventName> <Version>011.3</Version> <Source>CIFS</Source> <Level>0</Level> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <Result>Audit Success</Result> <TimeCreated SystemTime="2017-05-05T21:05:15.082531000Z"/> <Correlation/> <Channel>Security</Channel> <Computer>22b28c65-f331-11e4-a097-22a098654934/a1ee37f6-f8d5-11e4-a098-00a098654934</Computer> <Security/> </System> <EventData> ##lines like below have variations on how they show the key=values <Data Name="SubjectIP" IPVersion="4">10.22.33.235</Data> <Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data> <Data Name="SubjectUserSid">S-1-5-21-2112345321-1480738125-1508530778-84740</Data> <Data Name="SubjectUserIsLocal">false</Data> <Data Name="SubjectDomainName">theDomain</Data> <Data Name="SubjectUserName">Bob12345</Data> <Data Name="ObjectServer">Security</Data> <Data Name="ObjectType">File</Data> <Data Name="HandleID">00000000000424;00;00069642;b4221099</Data> <Data Name="ObjectName">(design);/Jobs/RR41_Video/RR41_PRINT/~mc_rr41~3.idlk</Data> <Data Name="AccessList">%%4423 %%1537 %%1541 </Data> <Data Name="AccessMask">11080</Data> <Data Name="DesiredAccess">Read Attributes; Delete; Synchronize; </Data> <Data Name="Attributes"></Data> </EventData> </Event> Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM