How to extract events in xmlns tags

sarvan7777 · ‎07-03-2018

Experts,

Here is my Log content and I wish to extract fields like

<tns:SplunkLogs xmlns:tns=\http://www.example.org/SplunkLogs\>\n
    <tns:ServiceName>mmf-bwce-customerOrder.application</tns:ServiceName>\n
    <tns:TransactionId>123</tns:TransactionId>\n
    <tns:EventType>Hold</tns:EventType>\n
    <tns:TimeStamp>2017-06-05T04:04:06.051Z</tns:TimeStamp>\n
    <tns:Payload>123456</tns:Payload>\n
    <tns:ProcessName>Delivery</tns:ProcessName>\n
    <tns:Activity>Request</tns:Activity>\n
</tns:SplunkLogs>\n

All I need is to extract the fields like ServiceName, TransactionId and so on. I have done this thru props.conf and transforms.conf as below and it works perfectly fine. But I wish to move it as a search time extraction (Without a transforms.conf). Any input is appreciated.

my_stanza]
REPORT-xmlkv = xmlkv-alternative

Transforms.conf:
[xmlkv-alternative]
FORMAT = $2::$3
REGEX = <([^\s\>]*):([^\s\>]*)\>([^<]*)\<\/\1:\2\>

amiftah · ‎07-05-2018

Did you try this solution?
https://answers.splunk.com/answers/133533/xml-extraction.html?utm_source=typeahead&utm_medium=newque...

493669 · ‎07-03-2018

have a look at spath command:
The spath command enables you to extract information from structured data formats like XML
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/spath

sarvan7777 · ‎07-05-2018

Thanks for the response. I was not able to extract the fields with spath as my field values are at the same level. Fortunately, I got a lead to use xmlkv from the documentation link with which I was able to get the desired field extracted. Thanks for your help

How to extract events in xmlns tags

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms