Hello all,
I'm new to Splunk and I would love some help here. I have an xml file (well, partial xml as you will see), that I want to extract fields value from and I don't care whether that will be at index-time or search-time. What is important to me is that I would be able to see the fields when I search the events. I have been searching for 2 days now and tried different answers I came across, but in vain. Even the documentation isn't clear enough with examples. I am able to extract the fields in the search (using spath and specifying tags paths), but that is not what I want. I want to have the event fields extracted as soon as I fetch the event by sourcetype without using spath.
Here's a sample of the XML file:
POST /Air HTTP/1.1
Content-Length: 1048
Content-Type: text/xml
Date: Mon, 30 Aug 2004 13:17:39 MEST
Host: ws2258:10010
User-Agent: CX/4.3/1.0
Authorization: Basic dXNlcjpwYXNzd29yZA==
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>UpdateServiceClass</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>originNodeType</name>
<value>
<string>CX</string>
</value>
</member>
<member>
<name>originHostName</name>
<value>
<string>CX_1</string>
</value>
</member>
<member>
<name>originTransactionID</name>
<value>
<string>12013021310152350917</string>
</value>
</member>
<member>
<name>originTimeStamp</name>
<value>
<dateTime.iso8601>20130213T08:15:23+0200</dateTime.iso8601>
</value>
</member>
<member>
<name>subscriberNumberNAI</name>
<value>
<int>0</int>
</value>
</member>
<member>
<name>subscriberNumber</name>
<value>
<string>01101004157</string>
</value>
</member>
<member>
<name>originOperatorID</name>
<value>
<string>ericsson</string>
</value>
</member>
<member>
<name>serviceClassAction</name>
<value>
<string>SetOriginal</string>
</value>
</member>
<member>
<name>serviceClassNew</name>
<value>
<int>201</int>
</value>
</member>
<member>
<name>serviceClassCurrent</name>
<value>
<int>202</int>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
This file contains only one record with multiple xml tag values. What I want is to extract the fields values without using spath. I want some configuration in the sourcetype so that the data is automatically extracted.
Here's the configuration I tried so far:
In the props.conf
BREAK_ONLY_BEFORE = (<methodCall>)
DATETIME_CONFIG = CURRENT
FIELDALIAS-rootfields = methodCall.params.param.value.struct.member{1}.value.string as "Origin Node Type" methodCall.params.param.value.struct.member{2}.value.string as "Origin Host Name" methodCall.params.param.value.struct.member{3}.value.string as "Origin Transaction ID" methodCall.params.param.value.struct.member{4}.value as "Origin Timestamp" methodCall.params.param.value.struct.member{5}.value.int as "Subscriber Number NAI" methodCall.params.param.value.struct.member{6}.value.string as "Subsrciber Number" methodCall.params.param.value.struct.member{7}.value.string as "Origin Operator ID" methodCall.params.param.value.struct.member{9}.value.int as "Service Class New" methodCall.params.param.value.struct.member{8}.value.string as "Service Class Action" methodCall.params.param.value.struct.member{10}.value.int as "Service Class Current"
KV_MODE = xml
LINE_BREAKER = (<methodCall>)
NO_BINARY_CHECK = true
REPORT-xmlkv =
SHOULD_LINEMERGE = true
TRUNCATE = 0
category = Custom
disabled = false
pulldown_type = true
supports_multivalues = true
REPORT-kozbaraXML = kozbaraXML
In transforms.conf:
[kozbaraXML]
REGEX = <([^\s\>])[^\>]\>([^<]*)\<\/\1\>
FORMAT = $1::$2
That was as far as I was able to get to according to what i found and understood from what I read. Any help would be much appreciated.
Update:
The output of the previous configurations:
With another configurations as follows: (props.conf only)
BREAK_ONLY_BEFORE = (<methodCall>)
DATETIME_CONFIG = CURRENT
FIELDALIAS-rootfields = methodCall.params.param.value.struct.member{1}.value.string as "Origin Node Type" methodCall.params.param.value.struct.member{2}.value.string as "Origin Host Name" methodCall.params.param.value.struct.member{3}.value.string as "Origin Transaction ID" methodCall.params.param.value.struct.member{4}.value as "Origin Timestamp" methodCall.params.param.value.struct.member{5}.value.int as "Subscriber Number NAI" methodCall.params.param.value.struct.member{6}.value.string as "Subsrciber Number" methodCall.params.param.value.struct.member{7}.value.string as "Origin Operator ID" methodCall.params.param.value.struct.member{9}.value.int as "Service Class New" methodCall.params.param.value.struct.member{8}.value.string as "Service Class Action" methodCall.params.param.value.struct.member{10}.value.int as "Service Class Current"
KV_MODE = xml
LINE_BREAKER = (<methodCall>)
NO_BINARY_CHECK = true
REPORT-xmlkv =
SHOULD_LINEMERGE = true
TRUNCATE = 0
category = Custom
disabled = false
pulldown_type = true
supports_multivalues = true
REPORT-xmlfield = xmlfield
The output is:
However, what I want is something like this:
Required Output:
https://drive.google.com/open?id=0B_dKbpAuqWHtNzk5amRqLUxrcE0
... View more