Solved: Is it possible to set field name and value with re...

Jason · ‎03-06-2013

Is it possible to set field name and value with rex - or some other command - on the search bar?

I have a large XML file with

<name>Field1</name>
<value>value1</value>
<name>Field2</name>
<value>value2</value>

And would like to do an extraction similar to FORMAT = $1::$2 in transforms.conf, but on the search bar to tweak the regex. Can rex do this?

Jason · ‎04-04-2013

Not in rex alone, but it appears possible with rex, eval and mv fields. You need to have data where the fieldname and value are near each other (not overlapping with other fieldnames/values you are looking to extract) and that your _raw field (or at least some field) is unique. It's probably not good to do this on a huge amount of events, but works for testing on a few events (due to the need to stats * to get all the fields back into one event again that were split by mvexpand).

Grab both name and value into one field, mvexpand it out, split it into name and value, use the trick mentioned here to set name and value at the same time with eval {namefield}=valuefield, then stats it back together into one event based on _raw (or your unique field, in case you are parsing more than one event) -- because mvexpand will cause each new event to have only one of the new fields in it.

| stats count
| fields - count
| eval _raw="<name>Field1</name> <value>value1</value>  <name>Field2</name> <value>value2</value>" 
| rex max_match=9999 "<name>(?<myfield>[^<]+</name>\s+<value>[^<]*)</value>"
| mvexpand myfield
| rex field=myfield "(?<myname>[^<]+)</name>\s+<value>(?<myvalue>[^<]*)"
| eval {myname}=myvalue
| fields - myfield myname myvalue
| stats first(*) as * by _raw

View solution in original post

Jason · ‎04-04-2013

Not in rex alone, but it appears possible with rex, eval and mv fields. You need to have data where the fieldname and value are near each other (not overlapping with other fieldnames/values you are looking to extract) and that your _raw field (or at least some field) is unique. It's probably not good to do this on a huge amount of events, but works for testing on a few events (due to the need to stats * to get all the fields back into one event again that were split by mvexpand).

Grab both name and value into one field, mvexpand it out, split it into name and value, use the trick mentioned here to set name and value at the same time with eval {namefield}=valuefield, then stats it back together into one event based on _raw (or your unique field, in case you are parsing more than one event) -- because mvexpand will cause each new event to have only one of the new fields in it.

| stats count
| fields - count
| eval _raw="<name>Field1</name> <value>value1</value>  <name>Field2</name> <value>value2</value>" 
| rex max_match=9999 "<name>(?<myfield>[^<]+</name>\s+<value>[^<]*)</value>"
| mvexpand myfield
| rex field=myfield "(?<myname>[^<]+)</name>\s+<value>(?<myvalue>[^<]*)"
| eval {myname}=myvalue
| fields - myfield myname myvalue
| stats first(*) as * by _raw

Muryoutaisuu · ‎02-12-2015

saved me a lot of work, thank you

BobM · ‎03-06-2013

Have you looked at xmlkv? It sounds like what you need.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xmlkv

Jason · ‎03-06-2013

I have - but this is a huge XML file that I don't need to waste cpu cycles by fully extracting it out - just certain name value pairs if possible. If rex or spath have a way to set field name as well as value, it would be very helpful

Is it possible to set field name and value with rex? (Similar to $1::$2 in transforms.conf)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms