Solved: How do I extract key value pairs from a field in a... - Splunk Community

Splunk Search

Hi All,

I have log file which has XML content in one of the fields and I need to extract its key value pairs. Can you please help me on this?

Please provide me any examples.

Thanks
Sathish Rangan

1 Solution

Solution

Hi, you can use the spath command for that:

http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Spath

See the examples there

View solution in original post

Solution

Hi, you can use the spath command for that:

http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Spath

See the examples there

Thank you javiergn. it is great help..

Is that can be done in the index time using props/trans conifg instead of search query ?

Yes, you can use KV_MODE = xml in your props.conf

See this

Some other related answers:

https://answers.splunk.com/answers/150155/how-to-configure-props-conf-to-extract-fields-and-line-bre...

https://answers.splunk.com/answers/2889/automatically-extract-xml-key-value-pairs.html

https://answers.splunk.com/answers/29212/extracting-xml-log-files.html

Not sure what you mean by that. Multiple fields as in different field names or multiple values per field?
Can you give me an example? If you post your XML and the result you are expecting it might be easier.

Short answer anyway: yes you can extract multiple field names from your XML and also multivalue fields (see this)

can we extract multiple fileds ??

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...