Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write the regex to extract a field from XML data if the field is not completely XML?

jameskerivan
Explorer
‎01-04-2016 02:19 PM

Hi

I have a field which I would like to extract a field from the XML being displayed. The only problem is the field is not completely XML. I am not allowed to post an example, but basically I want to extract something that looks like:

Event xml 

<?xml version="1.0" encoding="UTF-8" standalone="yes"><ns2:behaviorVersion>0</ns2:behaviorVersion><triggers><channelId>0055</channelId><clientVersion>3</clientVersion></triggers><eventInfo><bos:instanceId>000121481</bos:instanceId><bos:serverName>1</bos:serverName><bos:implementationName>TransferStarted</bos:implementationName>

And I would like to grab TransferStarted in between the two tags <bos:implementationName> and </bos:implementationName>.

I have worked with regex in the past, but am still not confident. Any help would be much appreciated and Happy New Year!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-04-2016 03:14 PM

Have you tried this

implementationName\>(\w+)\<

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎01-04-2016 03:14 PM

Have you tried this

implementationName\>(\w+)\<
Reply
Solved! Jump to solution

jameskerivan
Explorer
‎01-04-2016 03:44 PM

Yes this is what I want. Right now I am doing 

base query | rex field=F "(?.*)implementationName\>(\w+)\<" | stats count by preName | sort count desc

But this is providing me with everything before implementationName as I specified. How would I extract that field? The way I see the regex working is it matches implementationName and looks for the characters > < for opening and closing of the value I want. Do I need to specify a variable for that value?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎01-04-2016 03:59 PM

Try this, assuming preName is the name you want for that field.

"implementationName>(?<preName>w+)<"
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎01-04-2016 04:00 PM

There should be a backslash before "w+"

0 Karma
Reply
Solved! Jump to solution

jameskerivan
Explorer
‎01-04-2016 04:44 PM

So the stats that it gives me is very confusing. Here is my query :

base query | rex field=F "implementationName>(?<preName>\w+)<" | stats count by preName | sort count desc

This is giving me a very small amount of the implemenationNames but it does not give them all. For example TransferStarted did not get counted in my stats but if I look in the events I can see it. Am I missing something?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎01-04-2016 04:58 PM

If there is more than 1 occurrence of the preName in one event, you should add max_match=0 to the rex command and used multi-value functions to get the right result

0 Karma
Reply
Solved! Jump to solution

jameskerivan
Explorer
‎01-05-2016 12:12 PM

Thank you very much. You have been so helpful. The problem I am coming across is with the way we are logging. Your query is correct!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...