Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extraction of Response values from XML in the desired way.

yamini_37
Path Finder
‎05-07-2020 09:37 PM

Hi All,

I am trying to extract the multiple response values for a single request. After using "spath" command, the result is shown below.
Here, I didn't extract any values and just tabulated the needed information. alt text

So, in the XML file, ALB city has 4 streets. Each street contains 4 members. This is single result . Now I want to break it as 16 results with all details as shown below.

alt text

My query looks like
index=ab host=xy source=*y.xml |spath |table _time host City_Name Street_name Person_code Person_role

The above query gave the results shown in the first pic. Now i want to get the results as shown in the second picture. Please help me in framing the query for the latter part to get the expected results.

Thank You.

Labels (1)
Labels
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎05-07-2020 10:22 PM 
| makeresults
| eval City_name="ALB"
| eval Street_name=split("Street 1,Street 2,Street 3,Street 4",",")
| eval Person_code=split("1,2,3,4",",")
| eval Person_role=split("Father,Mother,Brother,Sister,Father,Mother,Brother,Sister,Father,Mother,Brother,Sister,Father,Mother,Brother,Sister",",")
| table City_name Street_name Person_code Person_role
| rename COMMENT as "this is your sample. please check this. from here, the logic"

| eval Person_role=mvdedup(Person_role)
| eval Person=mvzip(Person_code,Person_role)
| mvexpand Street_name
| stats values(City_name) as City_name list(Street_name) as Street_name by Person
| mvexpand Street_name
| eval Person_code=mvindex(split(Person,","),0), Person_role=mvindex(split(Person,","),1)
| fields - Person
| table City_name Street_name Person_code Person_role
| sort Street_name
Reply

to4kawa
Ultra Champion
‎05-07-2020 11:41 PM

JSON:

| makeresults
| eval _raw="{\"City Name\":\"ALB\",\"Street name\":[\"street 1\",\"street 2\",\"street 3\",\"street 4\"],\"Person code\":[1,2,3,4],\"Person role\":[\"Father\",\"Mother\",\"Brother\",\"Sister\",\"Father\",\"Mother\",\"Brother\",\"Sister\",\"Father\",\"Mother\",\"Brother\",\"Sister\",\"Father\",\"Mother\",\"Brother\",\"Sister\"]}"
| spath

what's XML ?

0 Karma
Reply

vnravikumar
Champion
‎05-07-2020 09:40 PM

Hi

Can you post sample XML?

0 Karma
Reply

yamini_37
Path Finder
‎05-12-2020 03:53 AM

I couldn't able to share the xml here

0 Karma
Reply

yamini_37
Path Finder
‎05-12-2020 03:54 AM

please find below.

0 Karma
Reply

vnravikumar
Champion
‎05-12-2020 04:09 AM

Hi

Still, it is missing

0 Karma
Reply

yamini_37
Path Finder
‎05-13-2020 01:04 AM

I have posted a new question and tagged you. Could you please check. The subject line of the question is "challenge!!! extraction of XML response values"

0 Karma
Reply

vnravikumar
Champion
‎05-13-2020 01:18 AM

I not able to find, can you post the URL?

0 Karma
Reply

yamini_37
Path Finder
‎05-12-2020 03:38 AM

HI Ravi,

Please find the sample xml. I want to map the data and display as shown in the second picture.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...