Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove specific xml element with attribute (only start tag)?

dmuley
Explorer
‎06-15-2022 08:42 PM

I have the event that looks like below 

 

2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

and I would like to remove below xml element with attribute from data fields , How can I do that ?

<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

Results I want is 

2022-06-15 19:59:57.489 threadId=L4GFP2275S1K class="ActiveSession" mname="NA" callId="NA" eventType="InMsg" data="<TestRQ><Merchant_ID>testmid</Merchant_ID></TestRQ>"

@ITWhisperer 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2022 11:30 PM

Is there anything else you forgot to mention? 😀

| rex mode=sed "s/\<InfoNox_Interface xmlns:xsd=\"http:\/\/www\.w3\.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www\.w3\.org\/2001\/XMLSchema-instance\"\>//g"

View solution in original post

Reply
Solved! Jump to solution

dmuley
Explorer
‎06-15-2022 11:23 PM

@ITWhisperer  Sorry but this is specific element and its placement is not necessarily to start of the data field.

So in short I need to remove anything that starts with <InfoNox_Interface and ends with >. 

below string should be replaced with nothing.

<InfoNox_Interface xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2022 11:30 PM

Is there anything else you forgot to mention? 😀

| rex mode=sed "s/\<InfoNox_Interface xmlns:xsd=\"http:\/\/www\.w3\.org\/2001\/XMLSchema\" xmlns:xsi=\"http:\/\/www\.w3\.org\/2001\/XMLSchema-instance\"\>//g"
Reply
Solved! Jump to solution

dmuley
Explorer
‎06-15-2022 11:33 PM

Yes you are such a kind person. thanks a lot @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-15-2022 11:09 PM 
| rex mode=sed "s/data=\"<[^>]+>/data=\"/g"
0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...