Splunk Search

How to extract multivalue fields in multiple events from xml data?

chironc
Engager

Hello,

I'm trying to extract information from a XML files. The file repeats the following pattern for each IP address.

<IP value="10.10.10.10" name="toto">
  <INFOS>
      <INFO number="6" severity="1">
            <TITLE>test1]></TITLE>
             <LAST_UPDATE><![CDATA[1999-01-01T08:00:00Z]]></LAST_UPDATE>
      </INFO>
      <INFO number="456" severity="12">
            <TITLE>test2</TITLE>
             <LAST_UPDATE><![CDATA[2010-01-01T08:00:00Z]]></LAST_UPDATE>
      </INFO>
      <INFO number="1234" severity="1">
            <TITLE>test3</TITLE>
             <LAST_UPDATE><![CDATA[2012-01-01T08:00:00Z]]></LAST_UPDATE>
      </INFO>
 </INFOS>
</IP>

In the props.conf files, I've added the parameter: KV_mode = xml. So I have the following multivalue fields:

IP.INFOS.INFO{@number}
6
456
1234

IP.INFOS.INFO{@severity}
1
12
1

IP.INFOS.INFO.LAST_UPDATE
1999-01-01T08:00:00Z
2010-01-01T08:00:00Z
2012-01-01T08:00:00Z

I would like to separate the fields in order to have those events:

10.10.10.10  |  6      | 1      | 1999-01-01T08:00:00Z
10.10.10.10  |  456    | 12     | 2010-01-01T08:00:00Z
10.10.10.10  |  1234   | 1      | 2012-01-01T08:00:00Z

I tried to use mvexpand, mvzip, spath, etc.. But I did not succeed.

Is there a way to do it ?

Best regards,

Corentin

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

Your base search | eval temp=mvzip(mvzip(mvzip('IP.INFOS.INFO.LAST_UPDATE','IP.INFOS.INFO.TITLE',"#"), 'IP.INFOS.INFO{@number}',"#"), 'IP.INFOS.INFO{@severity}',"#") | table IP{@name},IP{@value},temp | mvexpand temp | rex field=temp "(?<LAST_UPDATE>.*)#(?<TITLE>.*)#(?<Number>.*)#(?<Severity>.*)" | rename IP{@name} as IP_Name IP{@value} as IP_Address | fields - IP.* temp

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

Your base search | eval temp=mvzip(mvzip(mvzip('IP.INFOS.INFO.LAST_UPDATE','IP.INFOS.INFO.TITLE',"#"), 'IP.INFOS.INFO{@number}',"#"), 'IP.INFOS.INFO{@severity}',"#") | table IP{@name},IP{@value},temp | mvexpand temp | rex field=temp "(?<LAST_UPDATE>.*)#(?<TITLE>.*)#(?<Number>.*)#(?<Severity>.*)" | rename IP{@name} as IP_Name IP{@value} as IP_Address | fields - IP.* temp

chironc
Engager

Hello,

Thank you. It works !

Best regards,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...