I'm trying to extract XML fields from a report which is about 70-80 lines (maybe more). I receive the whole report as a single event because breaking it would make the report lose its meaning. I have been researching and trying out various means of field extraction for this report but nothing has worked out so far. If anyone can help me out with this, it'd be great. I tried xmlkv, spath, xpath, manual regex field extraction. When I try manual field extraction or xmklkv, it matches only the last occurence of the tag. For example, consider the following code sample:
When I use regex for field extraction or when I use xmlkv for say field level, I get only the last value (Low). Also, spath by default extracts fields from the first 5000 characters and I understand this can be changed in limits.conf, but I don't know how many characters my report would contain, so I dont know what I should set the value to. When I try spath like so: whatever_search|spath output=host path=objects.object.ip|top host the field host contains the whole xml report and not just the field I'm looking for. Can someone please suggest some alternative/solution to this? I have no option but using XML for this.
asked 10 Apr '12, 07:53
Have you looked at MV_ADD=true in order to get more than the last value?
Basically, you need to do the following changes/additions;
Hope this helps,
answered 10 Apr '12, 08:54
Kristian, I just wanted to say thanks for the tip. I've been able to successfully use this method to do field extractions in some xml logs I'm working with.
answered 21 May, 19:01