Splunk Enterprise Security

How to remove specific xml element with attribute (only start tag)?

dmuley
Explorer

I have the event that looks like below 

 

2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

and I would like to remove below xml element with attribute from data fields , How can I do that ?

<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

Results I want is 

2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

@ITWhisperer 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Is there anything else you forgot to mention? 😀

| rex mode=sed "s/\<InfoNox_Interface xmlns:xsd=\"http:\/\/www\.w3\.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www\.w3\.org\/2001\/XMLSchema-instance\"\>//g"

View solution in original post

dmuley
Explorer

@ITWhisperer  Sorry but this is specific element and its placement is not necessarily to start of the data field.

So in short I need to remove anything that starts with <InfoNox_Interface and ends with >. 

below string should be replaced with nothing.

<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is there anything else you forgot to mention? 😀

| rex mode=sed "s/\<InfoNox_Interface xmlns:xsd=\"http:\/\/www\.w3\.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www\.w3\.org\/2001\/XMLSchema-instance\"\>//g"

dmuley
Explorer

Yes you are such a kind person. thanks a lot @ITWhisperer 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex mode=sed "s/data=\"<[^>]+>/data=\"/g"
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...