Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

parse XML embedded in a field

moneybox
Explorer
‎12-14-2017 12:53 AM

Hi there,

I have a CSV file with 2 fields : time,xml_data.
Is there anyway I can parse the xml_data field as XML ?

This is a nested XML inside a CSV field and I would prefer to parse it on index time (if not, parsing on search time is also acceptable).

Thanks

Reply

nickhills
Ultra Champion
‎12-14-2017 06:20 AM

I have a CSV file with 2 fields : time,xml_data

As long as you know the name of the field in the CSV which contains the XML spath will work at seach time

<your search which includes your csv events>| spath xml_data
If my comment helps, please give it a thumbs up!
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-14-2017 01:51 AM

Hi @moneybox,

You can use spath for same. Check below search.

|inputlookup mylookup
| eval _raw=XML_DATA_FIELD 
| spath output=.. path=..
| table ..

Please check my sample search from below doc

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Spath

| makeresults 
| eval A="<?xml version=\"1.0\">
<purchases>
   <book>
         <author>Martin, George R.R.</author>
         <title yearPublished=1996>A Game of Thrones</title>
         <title yearPublished=1998>A Clash of Kings</title>
  </book>
   <book>
         <author>Clarke, Susanna</author>
         <title yearPublished=2004>Jonathan Strange and Mr. Norrell</title>
   </book>
   <book>
         <author>Kay, Guy Gavriel</author>
         <title yearPublished=1990>Tigana</title>
   </book>
   <book>
         <author>Bujold, Lois McMasters</author>
         <title yearPublished=1986>The Warrior's Apprentice</title>
   </book>
</purchases>" 
| eval _raw=A 
| spath output=dates path=purchases.book.title{@yearPublished} 
| table dates

Thanks

0 Karma
Reply

moneybox
Explorer
‎12-14-2017 03:46 AM

Thank you, but that works for cases I know what fields should I expect.
Is there anything that could automatically convert the nested XML to searchable fields in Index Time ?
Meaning, I want to extract all fields from the nested XML without knowing them.

Thanks again

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...