- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I extract fields from a list of field name...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My xml data looks like this:
<name>A</name>
<name>B</name>
<name>C</name>
<filler>someStuff</filler>
<value>1</value>
<value>2</value>
<value>3</value>
How can I extract fields so field A has value 1, B has 2, and C has 3?
Also, sometimes there will be names with no values, and sometimes there be multiple value lists so each field will be multi-valued.
These fields need to be added to the event--not extracted into a new event--because there are other fields in the event that can be extracted as usual xml key-value pairs.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The XMLKV search command is your friend:
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/xmlkv
if the fields do not have distinct names consider using MULTIKV instead:
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Multikv
Does that help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The XMLKV search command is your friend:
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/xmlkv
if the fields do not have distinct names consider using MULTIKV instead:
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Multikv
Does that help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just out of curiosity: how did you use MULTIKV for this xml format? This one of the commands I haven't done much with and would like utilize your knowledge about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: MULTIKV gets everything I want. I was looking at it wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. XMLKV is good for XML in general but does not understand the connection my data source has between names and values. XMLKV gives me a multivalue field called "name" and another multivalue field called "value". I need each "name" entry to be a field name and the corresponding "value" entry to be its value.
MULTIKV gets closer, but I have not figured out how to include more than just the fields extracted by MULTIKV in the new events that are created. For example, in my example, I want not only A=1, B=2, and C=3, but also filler=someStuff. I will keep investigating MULTIKV.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
