All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parse an XML in splunk events

p0p00aj
New Member
‎04-01-2020 07:47 AM

I have data coming in to splunk from a SQL Table and one of the columns in the table has a XML. Is there a way we can parse that XML and extract fields in splunk??

The XML is not always the same and keeps changing

0 Karma
Reply

woodcock
Esteemed Legend
‎04-01-2020 09:00 AM

If you can remove the cruft and ensure that the entire raw event is XML, then you can set KV_MODE to xml and it will automatically do dynamic field extraction. Short of that, you can do it manually using xpath:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xpath

0 Karma
Reply

p0p00aj
New Member
‎04-01-2020 08:32 AM

XMLKV command is more useful in this scenario. it automatically pulls all the xml fields and indexes them.

0 Karma
Reply

efavreau
Motivator
‎04-01-2020 07:59 AM

Look into the xpath command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xpath

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply

p0p00aj
New Member
‎04-01-2020 08:32 AM

Thanks for your message. I see xmlkv more useful for this scenario where the xml fields are automatically pulled.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...