Even with Splunk 4.3.3, it can automatically pull out XML and JSON fields at search time.
This means you can query a database table in real time, generate a table of data where each column is an XML and/or JSON element, then push it all to another DB table.
“spath” is the search command you want to use, and usage is something like this:
| spath input=MyFieldThatHasXMLInIt
Yeah, that’s all; it’s seriously great. Note by default spath only looks at the first 5000 characters in that field, so if you have larger fields you will need to override the system defaults by adding the below ini section to /opt/splunk/etc/system/local/limits.conf (adjust the value to whatever is appropriate for your situation). I got this section from /opt/splunk/etc/system/default/limits.conf and tried just pasting it in and restarting Splunk:
[spath]
# number of characters to read from an XML or JSON event when auto extracting
extraction_cutoff = 8000
No comments:
Post a Comment