How to extract XML field data using transforms.con...

srinathd · ‎04-17-2016

How to extract xml data contained in AUDDET_STR field in the following event using transforms.conf settings?

"2016-04-17 12:04:38:935" REC_TS="2016-04-17 12:04:38:935", USERID="sysadmin", AUDTENTRYSEQNUM="0", AUDTSEQNUM="1", DATASRC="NONE", AUDTENTRYTYP="OBEY", SRVCID="DA", AUDDET_STR="<Audit_loggingRq><Timestamp>2016-04-17T12:23:38.93533Z</Timestamp><ContextDescr>SECURE-DA</ContextDescr><Ticket><UserID>SysAdmin</UserID><SessionNumber>1</SessionNumber><TerminalID>dci.exe#529</TerminalID></Ticket><ErrorData>OK</ErrorData><ActivityGroup><ActivityType>OB</ActivityType><TableGroup><TableName>NONE</TableName></TableGroup><KeyGroup><Key><KeyColumn><ColumnName>RowCount</ColumnName><Value>0</Value></KeyColumn></Key></KeyGroup></ActivityGroup></Audit_loggingRq>"

sundareshr · ‎04-17-2016

You could try with field transformation

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Createandmaintainsearch-timefieldextract...

Add the following to your transform
REGEX = <(\w+)>([^<]+)
FORMAT = $1::$2
MV_ADD = true

With this, if a the same field appears more than once, it will get added as a multi-value field and you can use the multivalue functions in your search

http://docs.splunk.com/Documentation/Splunk/6.0/Search/Parsemultivaluefields

How to extract XML field data using transforms.conf?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms