Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

XML Extraction with multi values

Hazel
Communicator
‎11-24-2010 02:44 PM

Hello

I am looking for a way to extract my values from an xml file, so it seems that using xmlkv would be my best approach, however the names in the xml have spaces in so the xmlkv isn't coping with this.

E.g

<machines>  
    <machine name="a" port="1" active="true">  
        <value>  
            <replace>Example</replace>  
            <cfg>  
                <server name>URL1</serverUrl>  
                <serverUsername>Username1</serverUsername>  
                <server name>URL2</serverUrl>  
                <serverUsername>Username2</serverUsername>  
            </cfg>  
        </value>  
    </machine>  
<machine>

So if I run this through xmlkv, it will pick up "name" as a, reading machine name. It will then completely ignore server name as it also classes this as name.

Is there any way around this? Or another approach that is better?

I am trying to end up with a report that would tell me, machine name and then all the server names associated with it (and similarly for other properties in the file)

Thanks!

Hazel

Tags (1)
0 Karma
Reply

eashwar
Communicator
‎02-07-2013 09:45 AM

have you tried using spath command

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Spath

all the best, and happy Splunking!!

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎11-24-2010 10:49 PM

Technically this is not valid XML. XML parsers will not see a "server name" tag here, they'll instead see a 'server' tag. And when they get to the "name" they will throw an exception because it thinks its an attribute but there is no value and you cant have attributes with no values in XML.

also note that the <replace>Example<replace/> is malformed due to the misplaced slash char.

Also for it to be well-formed XML you need quotes around the two attributes -- the "a" and the "1"

However even if you fixed those problems, it's quite likely that xmlkv wont do everything that you need. For instance the relationship between server1 and URL1 will not be preserved in any way. If your XML really looks like this and cannot be changed I'd recommend a scripted input. Unfortunately of course you wont be able to use an off-the-shelf XML parser because they'll just hit the above problems.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-30-2010 05:30 AM

Also, the XML isn't valid because <server name> doesn't match up against </serverUrl>, and as nick says, the opening tag by XML is <server> with an attribute name with no value. You could try just using regex parsing, or you can write your own script to parse this data, using xmlkv script as a model (it's just a wrapper around a standard library).

0 Karma
Reply

Hazel
Communicator
‎11-25-2010 10:05 AM

Hello. Thanks for your reply. Firstly - the replace and a/1 issues, this was my fault... i was just making up an xml similar to ours to give an example. These are correct in the real file. I've now fixed it above. Is there anything you would recommend now if xmlkv isn't the right thing?

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...