Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Fetch key/value pair from webservice request?

sachinlohchab
New Member
‎02-15-2018 10:28 AM

Hi I need to fetch key/value pair values from below request.. please help

like for Name key should return Siri
for USER_ROLE return BUS

Request passing as below:

        <entry>
            <key>Name</key>
            <value>Siri</value>
        </entry>
        <entry>
            <key>U_ROLE</key>
            <value>BUS</value>
        </entry>
0 Karma
Reply

niketn
Legend
‎02-17-2018 08:10 PM

@sachinlohchab, based on the sample data provided, try the following run anywhere search. If you have JSON data, KV_MODE=json should be set in props.conf for your sourcetype for automatic search time field extraction. In anycase you can use the commands from | spath onward for your current base search.

| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| spath
| eval data=mvzip('entry.key','entry.value')
| fields - entry.*
| mvexpand data
| eval data=split(data,",")
| eval key=mvindex(data,0), value=mvindex(data,1)
| fields - data _raw _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

micahkemp
Champion
‎02-16-2018 07:04 PM

I'm not proud of this search, but it does work:

| makeresults 
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| xpath outfield=value "//entry/value"
| eval value=mvjoin(value, ",")
| xpath outfield=key "//entry[value]/key"
| makemv delim="," value
| eval key_value=mvzip(key, value)
| fields key_value
| mvexpand key_value
| rex field=key_value "(?<key>[^,]+),(?<value>.*)"

The mvjoin and makemv lines are there because, for some reason, calling xpath a second time results in the first multivalue field it produced being squashed into a single, space-delimited value instead.

Perhaps someone will come along and show the proper way to do this. I've never used it before.

0 Karma
Reply

sachinlohchab
New Member
‎02-17-2018 05:07 PM

Written below regex to fetch the value I need...works for me..

rex field=_raw "USR_ROLE<\/key>$\n[ ](?.|)<\/value>$"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2018 02:31 PM

Have you looked at the xpath command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sachinlohchab
New Member
‎02-16-2018 02:39 PM

Can you give me the command to fetch per my request. I am new to splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...