Solved: How to extract multi value field from XML?

tcmarquesi · ‎10-05-2016

I want to build a multi value field from my XML. Checking out both the documentation and the answers I figure out I should use spath instead of xmlkv. However, the provided examples did not work for my case. So let me share what I did in order to allow you to point where is my mistake or a better new option, please.

Here is an example of my XML:

And here is the search I tried:
... | spath output=parameterNumber path=Request.RequestParameter.parameterNumber | spath output=parameterValue path=Request.RequestParameter.parameterValue

Thanks in advance!

Regards,

Tiago

sundareshr · ‎10-05-2016

Have you tried regex? Like this

... | rex max_match=0 field=fieldwithxmldata "Number\>(?<nbr>\d+).*[\n\r]*.*.*\>(?<val>\w+)" | eval z=mvzip(nbr, val) | mvexpand z | rex field=z "(?<nbr>[^,]+),(?<val>.*)"

View solution in original post

sundareshr · ‎10-05-2016

Have you tried regex? Like this

... | rex max_match=0 field=fieldwithxmldata "Number\>(?<nbr>\d+).*[\n\r]*.*.*\>(?<val>\w+)" | eval z=mvzip(nbr, val) | mvexpand z | rex field=z "(?<nbr>[^,]+),(?<val>.*)"

tcmarquesi · ‎10-05-2016

Worked, thank you! 🙂

tcmarquesi · ‎10-05-2016

Just complementing, I think I can't set KV_MODE = xml in my props.conf as sugested in * https://answers.splunk.com/answers/227887/how-to-extract-multivalue-fields-from-xml-data-at.html * because the events are not XML-formated, but the XML is into one particular field in some events.

tcmarquesi · ‎10-05-2016

I also tryed the following and did not work...

... | xmlkv | table ID, TS, Name, Request.RequestParameter.parameterNumber, Request.RequestParameter.parameterValue

😞

How to extract multi value field from XML?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor