My output is not 100% xml however Splunk can help break it to KV pair by using KV_Mode=XML as customized source type
It will give nice key-value pair however with long names , flattened from xml path.
Its like:
asup:ROW.nisdomain.ldap_client.aggr_list.asup:list.asup:li
asup:ROW.nisdomain.ldap_client.allowed_protocols.asup:list.asup:li
Is there anyway I can make it shorter.
I don't need: asup:ROW , asup:list and asup:li
Can I use alias toremove those words from auto generated fieldname?
Here is my input example Content:
<asup:ROW col_time_us="1445865110187535" ><vserver >vserver01</vserver><id >11</id><uuid >123478563412-84ae-84ae-84ae-123478563412</uuid><rootvolume >vs_fs_root</rootvolume><aggregate >hpeds2_sata_bronze_1</aggregate><ns_switch ><asup:list><asup:li>ldap</asup:li><asup:li>file</asup:li></asup:list></ns_switch><nm_switch ><asup:list><asup:li>ldap</asup:li><asup:li>file</asup:li></asup:list></nm_switch><nisdomain ><rootvolume_security_style >ntfs</rootvolume_security_style><ldap_client ><language >C</language><snapshot_policy >default</snapshot_policy><comment ></comment><type >data</type><antivirus_on_access_policy >default</antivirus_on_access_policy><quota_policy >default</quota_policy><protocol_services_use_data_lifs >true</protocol_services_use_data_lifs><is_repository >false</is_repository><admin_state >running</admin_state><aggr_list ><asup:list><asup:li>hpeds1_sas_silver_1</asup:li><asup:li>hpeds2_sata_bronze_1</asup:li><asup:li>hpeds3_sas_silver_1</asup:li><asup:li>hpeds4_sata_bronze_1</asup:li></asup:list></aggr_list><max_volumes >unlimited</max_volumes><allowed_protocols ><asup:list><asup:li>cifs</asup:li><asup:li>ndmp</asup:li></asup:list></allowed_protocols></asup:ROW>
↧