Refine your search:

Replace parts of a string

2

Hi! I'm trying to replace parts of a string, in order to make it more human-readable. Our logs contains strings like this one:

<properties><property><key>Prop1</key><value>1</value></property><property><key>Prop2</key><value>3</value></property><property><key>Prop3</key><value>2</value></property></properties>

And I want to show it like:

Prop1 = 1 | Prop2 = 3 | Prop3 = 2

I've extracted the inner part using:

rex "\<properties>(?<Properties>.*)\</properties>"

And for the values I've tried using replace, but it won't let me replace the inner part of the string. I'm trying with makemv, but I can't get what I want. Is this possible?

asked 03 Sep '10, 19:03

hbazan's gravatar image

hbazan
1491213
accept rate: 10%

2 Answers:
oldestnewestmost voted
5

You should be able to do this with rex's sed mode, similar to this:

| rex mode=sed "s#(<properties>)*<property><key>([^<]*)</key><value>([^<]*)</value></property>(</properties>)*#\2 = \3 #g"

This should also be usable as a "SEDCMD" in your props.conf file to edit the incoming data on the fly as it comes into splunk.

link

answered 03 Sep '10, 19:40

dwaddle's gravatar image

dwaddle ♦
15.2k2923
accept rate: 33%

Great! thanks dwaddle, I owe you a beer!

(03 Sep '10, 20:40) hbazan
6

One simple and low-tech way is to use eval's 'replace' function.

its not the prettiest but it might not make your head hurt as much as using rex in 'sed' mode. =)

after your rex:

| rex "\<properties>(?<Properties>.*)\</properties>" |

put this:

| eval Properties=replace(Properties, "</key><value>", " = ") | eval Properties=replace(Properties, "</value></property><property><key>", " | ") | eval Properties=replace(Properties, "<property><key>", "") | eval Properties=replace(Properties, "</value></property>", "")

and while we're considering nutty solutions, here's another one. Again tack this onto the end of your rex where you're extracting the Properties string.

| eval Properties=replace(Properties, "<property>", "") | makemv Properties delim="</property>" | mvexpand Properties | rename Properties as _raw | xmlkv

that last one actually makes multivalued field and then splits them into their own rows... mileage/applicability may vary.

link

answered 03 Sep '10, 20:47

sideview's gravatar image

sideview ♦
25.6k3543
accept rate: 46%

edited 03 Sep '10, 20:59

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×459
×395

Asked: 03 Sep '10, 19:03

Seen: 2,991 times

Last updated: 03 Sep '10, 20:59

Related questions

Can't replace a healthcheck string in nginx

execute search and replace parts with result from sql query

Searching for the empty string

Replace string

Segment string for regex.

Regex data from its position in string?

replace one backslash by double backslash

Splunk and Drilling down into Charts

Regex - match all ocurances of a character

Copyright © 2005-2012 Splunk Inc. All rights reserved.