-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0d41b1f
commit 2755f01
Showing
3 changed files
with
132 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| xmlutils provides a few commands for working with xml documents. xmlkv and xpath can accomplish most tasks, these are simply alternatives. | ||
|
|
||
| These commands will work on a field called "xml" if found, otherwise _raw. | ||
|
|
||
| xmlprettyprint | ||
| xmlprettyprint does what you would expect, pretty printing the xml. | ||
|
|
||
| xmlsplit | ||
| xmlsplit splits nodes into new events, copying other fields on the event to the new events. | ||
|
|
||
| Examples: | ||
| Given this xml: | ||
| <a><b>foo</b><b>bar</b></a> | ||
|
|
||
| xmlsplit field="b" | ||
| will create two events: | ||
| <b>foo</b> <b>bar</b> | ||
|
|
||
| xmlkvrecursive | ||
| xmlkvrecursive recursively builds fields from the tag and attribute names. The optional boolean flatten determines how repeated fields are treated. By default, repeated field names will be appended into a multi-value field. With flatten="true", new fields will be created. | ||
|
|
||
| Examples: | ||
| sourcetype=* | head 1 | eval _raw="<a la='sdf'><b>foo</b><b>bar</b></a>" | xmlkvrecursive | ||
| produces: | ||
| a-la = sdf a_b = [foo,bar] | ||
|
|
||
| sourcetype=* | head 1 | eval _raw="<a la='sdf'><b>foo</b><b>bar</b></a>" | xmlkvrecursive flatten=true | ||
| produces: | ||
| a-la = sdf a_b = foo a_b[2](http://splunkbase.splunk.com/wiki/2) = bar | ||
|
|
||
| Most of the time, xpath or xmlkv would be more appropriate. This command is useful if you need to extract multiple fields that are not extracted easily using one of those commands. | ||
|
|
||
| xmlstripdeclaration | ||
| xmlstripdeclaration removes the <?xml declaration from the beginning of the xml. This is needed if the declaration is incorrect and the parser used by the other commands would refuse to continue. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| { | ||
| "schemaVersion": "2.0.0", | ||
| "info": { | ||
| "title": "xmlutils", | ||
| "id": { | ||
| "group": null, | ||
| "name": "xmlutils", | ||
| "version": "1.2.0" | ||
| }, | ||
| "author": [ | ||
| { | ||
| "name": "vbumgarner", | ||
| "email": null, | ||
| "company": null | ||
| } | ||
| ], | ||
| "releaseDate": null, | ||
| "description": "XML utilities", | ||
| "classification": { | ||
| "intendedAudience": null, | ||
| "categories": [], | ||
| "developmentStatus": null | ||
| }, | ||
| "commonInformationModels": null, | ||
| "license": { | ||
| "name": null, | ||
| "text": null, | ||
| "uri": null | ||
| }, | ||
| "privacyPolicy": { | ||
| "name": null, | ||
| "text": null, | ||
| "uri": null | ||
| }, | ||
| "releaseNotes": { | ||
| "name": null, | ||
| "text": null, | ||
| "uri": null | ||
| } | ||
| }, | ||
| "dependencies": null, | ||
| "tasks": null, | ||
| "inputGroups": null, | ||
| "incompatibleApps": null, | ||
| "platformRequirements": null, | ||
| "supportedDeployments": [ | ||
| "_standalone", | ||
| "_distributed" | ||
| ], | ||
| "targetWorkloads": null | ||
| } | ||
| # The following sections can be customized and added to the manifest. For detailed information, | ||
| # see the documentation at http://dev.splunk.com/view/packaging-toolkit/SP-CAAAE9V | ||
| # | ||
| # Lists the app dependencies and version requirements | ||
| # "dependencies": { | ||
| # "<app-group>:<app-name>": { | ||
| # "version": "*", | ||
| # "package": "<source-package-name>", | ||
| # "optional": [true|false] | ||
| # } | ||
| # } | ||
| # | ||
| # Lists the inputs that belong on the search head rather than forwarders | ||
| # "tasks": [] | ||
| # | ||
| # Lists the possible input groups with app dependencies, and inputs that should be included | ||
| # "inputGroups": { | ||
| # "<group-name>": { | ||
| # "requires": { | ||
| # "<app-group>:<app-name>": ["<dependent-input-groups>"] | ||
| # }, | ||
| # "inputs": ["<defined-inputs>"] | ||
| # } | ||
| # } | ||
| # | ||
| # Lists the app IDs that cannot be installed on the system alongside this app | ||
| # "incompatibleApps": { | ||
| # "<app-group>:<app-name>": "<version>" | ||
| # } | ||
| # | ||
| # Specify the platform version requirements for this app | ||
| # "platformRequirements": { | ||
| # "splunk": { | ||
| # "Enterprise": "<version>" | ||
| # } | ||
| # } | ||
| # | ||
| # Lists the supported deployment types this app can be installed on | ||
| # "supportedDeployments": ["*" | "_standalone" | "_distributed" | "_search_head_clustering"] | ||
| # | ||
| # Lists the targets where app can be installed to | ||
| # "targetWorkloads": ["*" | "_search_heads" | "_indexers" | "_forwarders"] | ||
| # |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters