Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove specific xml element with attribute (only start tag)?

dmuley
Explorer
‎06-15-2022 08:42 PM

I have the event that looks like below 

 

2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

and I would like to remove below xml element with attribute from data fields , How can I do that ?

<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

Results I want is 

2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

@ITWhisperer 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2022 11:30 PM

Is there anything else you forgot to mention? 😀

| rex mode=sed "s/\<InfoNox_Interface xmlns:xsd=\"http:\/\/www\.w3\.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www\.w3\.org\/2001\/XMLSchema-instance\"\>//g"

View solution in original post

Reply
Solved! Jump to solution

dmuley
Explorer
‎06-15-2022 11:23 PM

@ITWhisperer  Sorry but this is specific element and its placement is not necessarily to start of the data field.

So in short I need to remove anything that starts with <InfoNox_Interface and ends with >. 

below string should be replaced with nothing.

<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2022 11:30 PM

Is there anything else you forgot to mention? 😀

| rex mode=sed "s/\<InfoNox_Interface xmlns:xsd=\"http:\/\/www\.w3\.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www\.w3\.org\/2001\/XMLSchema-instance\"\>//g"
Reply
Solved! Jump to solution

dmuley
Explorer
‎06-15-2022 11:33 PM

Yes you are such a kind person. thanks a lot @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2022 11:09 PM 
| rex mode=sed "s/data=\"<[^>]+>/data=\"/g"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...