- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to split multilevel XML to extract fields and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to split multilevel XML to extract fields and values?
<messaging><messaging_id>data_range</messaging_id><currentTimeStamp>2015-06-11-090445569807</currentTimeStamp>
<TransStatus>Fee Query</TransStatus><IpAddress>180.31.2.21</IpAddress><Port>1342</Port><Header><termID>GET</termID>
</Header><partner><id><range>GTEST</range></id></partner>
From the above mentioned result.
I need to get the values as mentioned below using the rex command. Is it possible?
All the above mentioned values are available in single field _raw.
messaging_id | currentTimeStamp | range
data_range | 2015-06-11-090445569807 | GTEST
In some posts I saw show we can separate it using spath.
I tried the same, but it's not working.
I want to split it like below.
If any other solution is out there, let me know that too.
Sample Code
<vendorProductSet vendorID="2">
<product productID="17" units="mm" >
<prodName nameGroup="custom">
<locName locale="all">APLI 01209</locName>
</prodName>
<desc descGroup="custom">
<locDesc locale="es">Precios</locDesc>
<locDesc locale="fr">Prix</locDesc>
<locDesc locale="de">Preise</locDesc>
<locDesc locale="ca">Preus</locDesc>
<locDesc locale="pt">Preços</locDesc>
</desc>
</product>
| spath output=locDesc path=vendorProductSet.product.desc.locDesc
Result should be :
Precios Prix Preise
I tried with below examples, but it's not working.
source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View"
| spath Masking_View.View_Info.stor_grpname
| spath Masking_View.View_Info.Device.dev_name
| spath Masking_View.View_Info.Totals.total_dev_cap_mb
| table Masking_View.View_Info.stor_grpname
props.conf
C:\Program Files\Splunk\etc\system\local
source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View"
| rename Masking_View.View_Info.stor_grpname as sg_name
| rename Masking_View.View_Info.Device.dev_name as dev_name
| rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb
| fields sg_name, dev_name, total_dev_cap_mb | eval f=substr(dev_name,1,2) | table f
and
source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View" | rex field=_raw "^(?:[^ \n]* ){7}(?P<xml>.+)" | spath xml
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shankarananth,
you can try to extract the field by using props.conf and transforms.conf instead of spath.
Below is example
$SPLUNK_HOME/etc/app/your_app/local/props.conf
[your_sourcetype]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields
$SPLUNK_HOME/etc/app/your_app/local/transforms.conf
[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2
MV_ADD = True
I hope this will help you.
Regards,
Badri Srinivas B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hai Badri Srinivas,
Thanks for your answer and sorry for my late response.
As you mentioned i have been added required details in props.conf and transforms.conf.
transforms.conf
[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2
MV_ADD = True
props.conf
[Gate]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields
Still I'm not getting that XMl split-ted values.
Might be i'm doing something wrong in search query.
below mentioned is the search query i'm using.
sourcetype="Gate_View"
| rename Masking_View.View_Info.stor_grpname as sg_name
| rename Masking_View.View_Info.Device.dev_name as dev_name
| rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb
| fields sg_name, dev_name, total_dev_cap_mb
If i'm wrong kindly correct me .
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shankarananth,
You need to change the regex expression according to you xml source.
Regards,
Badri Srinivas B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Badri Srinivas,
Thanks for your reply and sorry for late reply.
I added details as u mentioned in props.conf and transforms.conf . But still it's not working for me .
I think i am doing some wrong approach in search query.
Below mentioned is the search query i'm using to fetch that xml data filed.
sourcetype="Masking_View"
| rename Masking_View.View_Info.stor_grpname as sg_name
| rename Masking_View.View_Info.Device.dev_name as dev_name
| rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb
| fields sg_name, dev_name, total_dev_cap_mb | eval f=substr(dev_name,1,2) | table f
If i'm wrong correct me.
Thanks in advance .
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
