- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- how to get parent child fields from XML
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to get parent child fields from XML
Hi,
I am trying to monitor an XML file. Content of my props.conf is as follows
[MySourceType]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
KV_MODE= xml
I want fileds to be in parent child format like we get for JSON. But here all data coming in one event without parent child relation.
Please suggest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go:
| makeresults
| eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<perform col=\"test\">
<group name=\"A\">
<group name=\"B\">
<new type=\"T1\" time=\"155928841656\">
<counter val=\"11\" name=\"test_name1\"/>
<counter val=\"22\" name=\"test_name2\"/>
</new>
<new type=\"T2\" time=\"155928841656\">
<counter val=\"33\" name=\"test_name1\"/>
<counter val=\"44\" name=\"test_name2\"/>
</new>
</group>
</group>
</perform>"
| spath
| fields - *@val* *@time* *@type* *new*@name*
| rex max_match=0 "(?ms)(?<event>\<new type.*?\<\/new\>)"
| rex field=event mode=sed "s/\n\s*/\n/g"
| fields - _raw
| mvexpand event
| rename event AS _raw
| rex mode=sed max_match=0 "s/val=(\"[^\"]+\")\s+name=\"([^\"]+)\"/\2=\1/"
| rename COMMENT AS "On my v7.4.2, the 'max_match=0' is not working so I hve to duplicate this line == # of counters in array"
| rex mode=sed max_match=0 "s/val=(\"[^\"]+\")\s+name=\"([^\"]+)\"/\2=\1/"
| kv
| eval _time = time/100
| fields - _raw time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posting the sample input XML.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<perform col="test">
<group name="A">
<group name="B">
<new type="T1" time="155928841656">
<counter val="11" name="test_name1"/>
<counter="22" name="test_name2"/>
</new>
<new type="T2" time="155928841656">
<counter val="33" name="test_name1"/>
<counter val="44" name="test_name2"/>
</new>
</group>
</group>
</perform>
I want each counter as one event and info of its parent (e.g. which type it belongs to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your events are proper XML, it should "just work". Post some of your events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ankitarath2011 can you post some sample data and mention what is the relation you want to build?
Please mask/anonymize any sensitive information before posting. Also use the code button i.e. 101010 or shortcut Ctrl+K before posting so that special characters in your data do not escape.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am afraid Splunk format of providing the indexed info is in Key Value pairs.
However you could probably play around and define some correlation logic to process your indexed data to be identified for parent and child fields
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
