How do I extract fields from XML child and leaf no...

SrinivasaC · ‎11-02-2015

Hi ,

Splunk is pulling data from URLs , which is having below format:

<DocumentElement>
<CMN_DEPARTMENT><id>DEP00001044</id><sys_id>0036651c6fffb000c60337c64f3ee4ac</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001045</id><sys_id>0036651c6fffb000c60337c64f3ee4ab</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001046</id><sys_id>0036651c6fffb000c60337c64f3ee4ad</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001047</id><sys_id>0036651c6fffb000c60337c64f3ee4ae</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001048</id><sys_id>0036651c6fffb000c60337c64f3ee4af</sys_id></CMN_DEPARTMENT>
<CMN_DEPARTMENT><id>DEP00001049</id><sys_id>0036651c6fffb000c60337c64f3ee4ag</sys_id></CMN_DEPARTMENT>
<DocumentElement>

Here DocumentElement is the root element, CMN_DEPARTMENT is child element and having "sys_id" are leaf nodes. When I extract index, I'm getting only one sys_id out of 5-6 ids under one event. Like this, we will have 24 events per day (i.e. pulling data from URL every one hour).

How to extract each sys_id into index and perform search operations on it?

Thanks in advance.

tmarlette · ‎11-03-2015

Maybe try adding KV_MODE = xml in your Search head props.conf?

aljohnson_splun · ‎11-03-2015

Have you tried using the xmlkv command ?

SrinivasaC · ‎11-03-2015

Yes, we tried with xmlkv command & "KV_MODE = xml" in props.conf
We are getting all the results as list basis not in event base means
ex: 0036651c6fffb000c60337c64f3ee4ac

0036651c6fffb000c60337c64f3ee4ab

0036651c6fffb000c60337c64f3ee4ad
0036651c6fffb000c60337c64f3ee4af

0036651c6fffb000c60337c64f3ee4ag

Its whole result comes under one result (showing as list/values command).

I need it as separate events.

How do I extract fields from XML child and leaf nodes?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor