Splunk Search

How to extract Major_Brand_Display_Name value from xml

kirankotla
New Member
           <EmailAddress>RON@xyz.COM</EmailAddress>
           <Attributes>
              <Name>Addressee_Name</Name>
              <Value>bng</Value>
           </Attributes>
           <Attributes>
              <Name>xyz</Name>
              <Value>xyz</Value>
           </Attributes>

           <Attributes>
              <Name>pqr</Name>
              <Value></Value>
           </Attributes>
           <Attributes>
              <Name>xxxx</Name>
              <Value>zzzz</Value>
           </Attributes>

        </Subscribers>
Tags (1)
0 Karma
1 Solution

gokadroid
Motivator

If all of this is a part of single event and you want to extract any one of the above tag name or tag values then just replace the last line of the below query with that tag name exa. | where tagName="Major_Brand_Display_Name | fields - tagName"

index=yourIndex sourcetype=yourSourcetype earliest=-7d@d
| rex field=_raw max_match=0 "\<Name\>(?<name>[^\<]+)<\/Name\>" 
| rex field=_raw max_match=0 "\<Value\>(?<value>[^\<]+)\<\/Value\>" 
| eval z=mvzip(name, value, "~") 
| mvexpand z 
| rex field=z "(?<tagName>[^~]+)~(?<tagValue>.*)" 
| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

Updating as per comments

View solution in original post

0 Karma

gokadroid
Motivator

I am down voting this as the question data has been changed after answering the question. the answer given below was for the earlier data (xml tags and values) and it seemed to have work fine for @kirankotla as per user's comments. now at its current state the xml data in question is not intuitive for community users to answer this question and lacks info as to where does "major_brand_display_name" exist as part of xml. Is it a tag <Name> for which a <Value> is required or this text exists as part of <Value> itself and needs an extraction?

0 Karma

gokadroid
Motivator

If all of this is a part of single event and you want to extract any one of the above tag name or tag values then just replace the last line of the below query with that tag name exa. | where tagName="Major_Brand_Display_Name | fields - tagName"

index=yourIndex sourcetype=yourSourcetype earliest=-7d@d
| rex field=_raw max_match=0 "\<Name\>(?<name>[^\<]+)<\/Name\>" 
| rex field=_raw max_match=0 "\<Value\>(?<value>[^\<]+)\<\/Value\>" 
| eval z=mvzip(name, value, "~") 
| mvexpand z 
| rex field=z "(?<tagName>[^~]+)~(?<tagValue>.*)" 
| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

Updating as per comments

0 Karma

gokadroid
Motivator

Firstly choose either the time picker for last 7 days or in your query add the earliest=-7d@din the first line where you search your query to get the above xml data as event as something like index=yourIndex sourcetype=yourSourcetype earliest=-7d@d. After that change the last three lines of query as follows where you add the _time in table first, and then chart it later on:

| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

If this works well then please accept the answer and upvote so the question can be closed.

0 Karma

kirankotla
New Member

Hi gokadroid

As per privacy policy,i removed original data.

0 Karma

kirankotla
New Member

Awesome! thank you so much.
Is it possible to use timechat based on Major_Brand_Display_Name line timechart span=7d count by Major_Brand_Display_Name

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...