I wonder why we don't have a search operator that translates the search results to XML ?
I'm thinking something like this :
Conversion from:
Search Result 1 : key1=value1, key2=value2, key3=value3
Search Result 2 : key1=value1, key2=value2, key3=value3
Search Result 3 : key1=value1, key2=value2, key3=value3
To:
<SearchResults>
<SearchResult1>
<key1>value1 </key1>
<key2> value2 </key2>
<key3> value3 </key3>
</SearchResult1>
:
</SearchResults>
This could even operate on tables and convert them to XML.
And it seems straightforward to implement a Search processor that does this.
The main thing to watch out for is the memory growth for the XML conversion. The search results can be an arbitrary number potentially causing unbounded growth as a string for XML we are better off writing it to a file. At the same time, the new result with the converted XML is useful only when the format and content of the XML is required in a particular manner and serves as an input to other search operators. Otherwise the atom feed of Splunk already has an output XML mode.
I'm thinking something like this :
Conversion from:
Search Result 1 : key1=value1, key2=value2, key3=value3
Search Result 2 : key1=value1, key2=value2, key3=value3
Search Result 3 : key1=value1, key2=value2, key3=value3
To:
<SearchResults>
<SearchResult1>
<key1>value1 </key1>
<key2> value2 </key2>
<key3> value3 </key3>
</SearchResult1>
:
</SearchResults>
This could even operate on tables and convert them to XML.
And it seems straightforward to implement a Search processor that does this.
The main thing to watch out for is the memory growth for the XML conversion. The search results can be an arbitrary number potentially causing unbounded growth as a string for XML we are better off writing it to a file. At the same time, the new result with the converted XML is useful only when the format and content of the XML is required in a particular manner and serves as an input to other search operators. Otherwise the atom feed of Splunk already has an output XML mode.
No comments:
Post a Comment