We have some logs where fields are separated with html like tags, value or phrase. The problem is that some messages have different fields and/or they may be in different orders.
Our SME's assistance was "Splunk just did it"
Thanks
You can use an xml filter to parse that. A filter can only consume one XML document at a time, so you would need to wrap it in an outer document. With that message
mutate { gsub => [ "message", "^", "<f>", "message", "$", "</f>" ] }
xml { source => "message" target => "theXML" }
would result in
"theXML" => {
"F1" => [
[0] "value"
],
"F3" => [
[0] "value"
]
}
You may also want to use the option force_array => false.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.