Extract Fields from XML logs in Splunk
We all know that Splunk can handle almost any type of data format. Let’s say we are getting XML log from any of our index. Now we will show you how to extract fields from that XML log. Below we have given an example :
In the above images index name is xml and sourcetype name is xml_log from where we are getting XML format data.
For extracting fields from XML format data we will use one command called xmlkv. XML logs contain key-value pairs. We will run the below query and all the fields will be extracted automatically from XML data.
Query:
index=”xml” sourcetype=”xml_log”
| xmlkv
Explanation :
Here we have a XML format data. In the above query index name is xml and sourcetype name is xml_log. After that we have used xmlkv command to extract fields based upon key-value pairs. See the above image, fields are being extracted based upon key-value pair.
Hope this has helped you in achieving the below requirement without fail :
Extract Fields from XML logs in Splunk
Happy Splunking !!
Good One !!