Solved: extract xml field

SplunkCSIT · ‎04-02-2014

i'm new to xml, need help on the following: I got alot of catalogs and some catalog got more books and some got less books. Below is the example of one of the catalog. For this catalog, i got two books and each book have its own key=value that belong to its book. What would be the best approach to extract the key-values pair for each book for each catalog.
thks

<?xml version="1.0"?>

   <catalog>

    <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
     </book>

    <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
     </book>


  </catalog>

MuS · ‎04-02-2014

Hi,

take a look at the spath command, this will take care of XML/JSON data and extract the key=value for you.

cheers, MuS

View solution in original post

to4kawa · ‎12-07-2019

| makeresults 
| eval _raw="<?xml version=\"1.0\">

    <catalog>

     <book id=\"bk101\">
       <author>Gambardella, Matthew</author>
       <title>XML Developer's Guide</title>
       <genre>Computer</genre>
       <price>44.95</price>
       <publish_date>2000-10-01</publish_date>
       <description>An in-depth look at creating applications 
       with XML.</description>
      </book>

     <book id=\"bk101\">
       <author>Gambardella, Matthew</author>
       <title>XML Developer's Guide</title>
       <genre>Computer</genre>
       <price>44.95</price>
       <publish_date>2000-10-01</publish_date>
       <description>An in-depth look at creating applications 
       with XML.</description>
      </book>


   </catalog>"
| spath
| rename catalog.book.* as *
| rename "catalog.book{@id}" as id
| eval counter=mvrange(1,mvcount(id) + 1)
| stats values(*) as * by counter
| table id author title genre price publish_date description

In this case, you can expand with this query.

MuS · ‎04-02-2014

Hi,

take a look at the spath command, this will take care of XML/JSON data and extract the key=value for you.

cheers, MuS

MuS · ‎04-02-2014

this is search related and therefore it goes into props.conf on the indexer, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F for more detailed informations

SplunkCSIT · ‎04-02-2014

KV_MODE=xml for your source/sourcetype in props.conf is to be configure at forwarder end or indexer end? thks

MuS · ‎04-02-2014

YourBaseSearchHere | chart values(Title) as Title by author

and please tick the tick to mark this as answered, you can also upvote it 😉

SplunkCSIT · ‎04-02-2014

thks a lot, how to create the table such to show unique author if the the author had more than 1 title? thks

author Title
Gambardella, Matthew XML Developer's Guide
XML Developer's Guide1

MuS · ‎04-02-2014

or you set the KV_MODE=xml for your source/sourcetype in props.conf http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

extract xml field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!