Databases Reference
In-Depth Information
Using external commands
The Splunk search language is extremely powerful, but at times, it may be
either difficult or impossible to accomplish some piece of logic by using nothing
but the search language. To deal with this, Splunk allows external commands
to be written in Python. A number of commands ship with the product, and a
number of commands are available in apps at
http://splunk-base.splunk.com/
.
Let's try out a few of the included commands. The documentation for the commands
is included with other search commands at
http://docs.splunk.com/
. You can
find a list of all included commands, both internal and external, by searching for
All
search commands
. We will write our own commands in
Chapter 12
,
Extending Splunk
.
Extracting values from XML
Fairly often, machine data is written in XML format. Splunk will index this data
without any issue, but it has no native support for XML. Though XML is not an
ideal logging format, it can usually be parsed simply enough. Two commands
are included in the search app that can help us pull fields out of XML.
xmlkv
xmlkv
uses regular expressions to create fields from tag names. For instance,
given the following XML:
<doc><a>foo</a><b>bar</b></doc>
xmlkv
will produce the fields
a=foo
and
b=bar
. To test, try this:
|stats count
| eval _raw="<doc><a>foo</a><b>bar</b></doc>"
| xmlkv
This produces a table, as shown in the following screenshot:
As this command is using regular expressions its advantage is that malformed or
incomplete XML statements will still produce results.
Search WWH ::
Custom Search