All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JMS Messaging Modular Input: How to automatically run xmlkv?

David
Splunk Employee
Splunk Employee
‎10-16-2014 04:00 PM

I am using the JMS Mod Input. The mod input outputs the timestamp, eventid, and then a msg_body="[Giant XML Blob]". If I run in search and use |xmlkv, it nicely pulls out the xml fields from the middle of that event, but that doesn't work if I set kv_mode=XML (I think) because the entire event isn't XML.

I can't seem to find a way to have xmlkv automatically run, though. Has anyone dealt with this before?

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎11-22-2016 02:52 PM

Fast Forward 2 years......November 2016 update....

In the latest version of the code , you should use com.splunk.modinput.jms.custom.handler.BodyOnlyMessageHandler , this is built in with the core release , so you don't need to do anything other than declaring this handler to be applied in your JMS stanza.

https://github.com/damiendallimore/SplunkModularInputsJavaFramework/blob/master/jms/src/com/splunk/m...

0 Karma
Reply

rahlers_splunk
Splunk Employee
Splunk Employee
‎05-06-2015 12:58 PM

You can also strip it down to just the JSON or XML message this way:
http://answers.splunk.com/answers/201739/how-to-get-a-sourcetype-of-json-mixed-with-text-th.html

If it is XML, add the following to you props.conf

SEDCMD-stripnonxml-1=s/^.*msg_body="//
SEDCMD-stripnonxml-2=s/\"$//
0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎10-16-2014 05:48 PM 
The 'xml' and 'json' modes will not extract any fields when used on data that isn't of the  correct format (JSON or XML)

So , if you want to use KV_MODE in props.conf , the indexed event has to be just the XML payload.

You can plug in a custom message handler to the JMS Modular Input that will index only the XML message payload.

Here is some code : https://gist.github.com/damiendallimore/eef6434b8daec578c42a

1) compile this code and add the class file to a jar file
2) place this jar file in SPLUNK_HOME/etc/apps/jms_ta/bin/lib
3) in your JMS stanza , declare this custom handler to be used

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...