- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: XML key pair extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've looked at about 5 examples of how to do XML key pair extraction but it's just not doing it for me and I can't figure out why.
I've got the following data in a file which is being indexed by splunk:
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://www.example.org/Admin/"><SOAP-ENV:Body><ns1:PortalAuthentication><serverHost name="test-server-01" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.0-0.F-1.P-1.Bld-26407" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-03" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-04" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.0-0.F-1.P-1.Bld-26407" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-05" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "America/Danmarkshavn" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-3.Bld-29542" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-06" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-07" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "America/Danmarkshavn" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost><serverHost name="test-server-08" port = "5480" qhist = "yes" username = "testuser" timezoneoffset = "Europe/London" ><Status username="testuser" desc="Online" nzrev="7.0.2-0.F-1.P-5.Bld-31068" fss="schema_disabled" upper="true"/></serverHost></ns1:PortalAuthentication></SOAP-ENV:Body></SOAP-ENV:Envelope> Wed Oct 30 16:34:14 GMT 2013
I have configured my app/local/props.conf as follows:
[netezzaportal]
LINE_BREAKER = <NpsHost
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
KV_MODE = xml
I have also tried my LINE_BREAKER as:
>(\s+)<NpsHost
and
[\>\s]((?=\<NpsHost\>))
But to no avail.
I have also tried to copy that section from the local props.conf into /opt/splunk/etc/system/local/props.conf but that also doesn't work. I have restarted the server after making each change, but Splunk still shows the whole thing as a single event.
I'm intending to make every NpsHost entry as a single event, and extract name= as the hostname for each event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone using this in a linux system, This is a gem of good news:
Use the following to parse your XML strings, even if they are all in one line:
xmllint --format /path/to/filename --output /path/to/output
This formats your xml into a line per key and it even indents them so you can still read them properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For anyone using this in a linux system, This is a gem of good news:
Use the following to parse your XML strings, even if they are all in one line:
xmllint --format /path/to/filename --output /path/to/output
This formats your xml into a line per key and it even indents them so you can still read them properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that this wasn't at all possible and didn't work.
I ended up doing a scripted input instead.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
