Hi Friends,
I'm new to SPLUNK, so might be a silly question.
I'm having a search based on an "identifier" which gives me back 3 results. Actually all of these messages were part of a single original "xml" message which got split by an intermediate system before Splunk. Hence I wanted to combine these messages back into the original xml message.
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:soapenv="schemas.xmlsoap.org/soap/envelope/" ><soapenv:Header/><soapenv:Body><ws:notify><ws:request><ws:actionTypeList><ws:genericActionTypes>ABCD</ws:genericActionTypes></ws:actionTypeList><ws:deviceRequest></ws:userAgent>version=1pm_fpua=mozilla/4.0 compatible msie 8.0 windows nt 5.1 trident/4.0 .net clr 1.1.4322 .net clr 2.0.50727...
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ..1,4322)</ws:userAgent></ws:deviceRequest><ws:identificationData><ws:userLoginName>abc@gmail.com</ws:userLoginName><ws:userName>testUser</ws:userName><ws:pass>testPass</ws:pass><ws:phoneNumber>XXXXXXXX</ws:phoneNumber><ws:tex...
Jun 14 09:00:27 hostname1 identifier=ILOGENGINE_22 Content-Length: 2894 ...t>some Text message</ws:text></ws:request></ws:notify></soapenv:Body></soapenv:Envelope>
If you can decide which field indicates they all belong together such as that identifier field then look at the transaction command.
If you can ensure the xml portion is going into a field for each event you might could use the eval command to make a new field and combine them back together. This is something that will take experimentation and time. No easy one command answer I am afraid.
I used "identifier=ILOGENGINE_22" to identify the rows. This is not part of the XML as such but row-meta information. But now I want to combine the xml part of these messages.
If you see its not pure XML, but combination of headers and XML. Once combined, I can then remove the unwanted elements.