Dashboards & Visualizations

how to get parent child fields from XML

ankitarath2011
Path Finder

Hi,

I am trying to monitor an XML file. Content of my props.conf is as follows
[MySourceType]
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
KV_MODE= xml

I want fileds to be in parent child format like we get for JSON. But here all data coming in one event without parent child relation.
Please suggest.

0 Karma

woodcock
Esteemed Legend

Here you go:

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
 <perform col=\"test\">
     <group name=\"A\">
         <group name=\"B\">
                     <new type=\"T1\" time=\"155928841656\">
                         <counter val=\"11\" name=\"test_name1\"/>
                         <counter val=\"22\" name=\"test_name2\"/>
                     </new>
                     <new type=\"T2\" time=\"155928841656\">
                         <counter val=\"33\" name=\"test_name1\"/>
                         <counter val=\"44\" name=\"test_name2\"/>
                     </new>
         </group>
     </group>
 </perform>" 
| spath 
| fields - *@val* *@time* *@type* *new*@name* 
| rex max_match=0 "(?ms)(?<event>\<new type.*?\<\/new\>)" 
| rex field=event mode=sed "s/\n\s*/\n/g" 
| fields - _raw 
| mvexpand event 
| rename event AS _raw
| rex mode=sed max_match=0 "s/val=(\"[^\"]+\")\s+name=\"([^\"]+)\"/\2=\1/"
| rename COMMENT AS "On my v7.4.2, the 'max_match=0' is not working so I hve to duplicate this line == # of counters in array"
| rex mode=sed max_match=0 "s/val=(\"[^\"]+\")\s+name=\"([^\"]+)\"/\2=\1/"
| kv
| eval _time = time/100
| fields - _raw time
0 Karma

ankitarath2011
Path Finder

Posting the sample input XML.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<perform col="test">
    <group name="A">
        <group name="B">
                    <new type="T1" time="155928841656">
                        <counter val="11" name="test_name1"/>
                        <counter="22" name="test_name2"/>
                    </new>
                    <new type="T2" time="155928841656">
                        <counter val="33" name="test_name1"/>
                        <counter val="44" name="test_name2"/>
                    </new>
        </group>
    </group>
</perform>

I want each counter as one event and info of its parent (e.g. which type it belongs to.

0 Karma

woodcock
Esteemed Legend

If your events are proper XML, it should "just work". Post some of your events.

0 Karma

niketn
Legend

@ankitarath2011 can you post some sample data and mention what is the relation you want to build?

Please mask/anonymize any sensitive information before posting. Also use the code button i.e. 101010 or shortcut Ctrl+K before posting so that special characters in your data do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

amitm05
Builder

I am afraid Splunk format of providing the indexed info is in Key Value pairs.
However you could probably play around and define some correlation logic to process your indexed data to be identified for parent and child fields

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...