Splunk Search

How to create the Regular Expression for the xml

m7787580
Explorer

Hi Team,

I have XML in the format present below and i am trying to use field transformation and field extraction in order to extract the field in people format.

Could you please help me in creating regular expression for this xml

<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>

I would like to have a single regular expression which i can use to extract all the field values and field name.

I tried to use below

- \<\w?\w?\d?\:([^\>]+)\>([^\<]+)\<\/

But its not capturing the last one Argus

So i would like to know if it can be possible if yes then what would be the expression.

Many Thanks

0 Karma

woodcock
Esteemed Legend

Why not use spath (you can certainly go with @richgalloway's answer)?

0 Karma

m7787580
Explorer

Hi Richgalloway's

I am not sure how to use spath.

If you help me in understanding the syntax and usage it would be helpfull.

Many Thanks,

0 Karma

woodcock
Esteemed Legend

You are going to LOVE this. Just add this to the end of your existing search and freak out:

| spath
0 Karma

m7787580
Explorer

Hi wood,

I still cannot see the fields getting extracted 😞

0 Karma

woodcock
Esteemed Legend

Try this and then figure out what is what is wonky in your search (by default it works from the _raw field)

| makeresults
| eval _raw="<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>"
| spath
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your regex string was very close. The colon is optional so I put a question mark after it in the regex. This worked for me on regex101.com with your sample data.

\<\w?\w?\d?\:?([^\>]+)\>([^\<]+)\<\/
---
If this reply helps you, Karma would be appreciated.
0 Karma

m7787580
Explorer

Thanks for coming back to me.

 <Na**me**>Argus</Name>

Then it is only capturing me part from Name and i want full Name to be rexed out.

Many Thanks,

0 Karma

niketn
Legend

@m7787580, any reason you are not using spath or xpath command?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...