https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21008#M3095 <P><CODE>xmlkv</CODE> looks for values inside tags of the form <CODE>&lt;fieldname&gt;value&lt;/fieldname&gt;</CODE>. Each time it finds that pattern it sets an extracted field to that value.</P> <P>If there are multiple keys with the same name, the value of the last one will be used. Note that <CODE>value</CODE> may be an empty string, in which case the field will be set to null and may not appear in the list.</P> <P>For your example, you should see an additional field in the field picker named <B><CODE>a</CODE></B>, containing a value of <B><CODE>3</CODE></B>.</P> <P><BR /> <CODE>xmlkv</CODE> is actually a python-based command in the search app, so you can look at the source code in <CODE>apps/search/bin/xmlkv.py</CODE> if you're so inclined.</P> Thu, 06 Jan 2011 09:28:41 GMT southeringtonp 2011-01-06T09:28:41Z https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21007#M3094 <P>All of our data is in XML format that is being indexed. I've been able to pull out a lot of extractions for single value attributes or element values.</P> <P>However I've yet to be able to figure out how to deal with multivalue xpaths. I've tried using xmlkv but there is little to no documentation in the Splunk documentation and answers.splunk.com.</P> <P>IE:</P> <P>&lt;a&gt;1&lt;/a&gt;&lt;a&gt;2&lt;/a&gt;&lt;a&gt;3&lt;/a&gt;</P> <P>I want a field or fields pulled out with a certain name for the values 1,2 and 3. xmlkv doesn't seem to do anything. How can I get the values 1,2 and 3 pulled out into a field?</P> Mon, 19 Dec 2022 15:10:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21007#M3094 Zambonilli 2022-12-19T15:10:56Z https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21008#M3095 <P><CODE>xmlkv</CODE> looks for values inside tags of the form <CODE>&lt;fieldname&gt;value&lt;/fieldname&gt;</CODE>. Each time it finds that pattern it sets an extracted field to that value.</P> <P>If there are multiple keys with the same name, the value of the last one will be used. Note that <CODE>value</CODE> may be an empty string, in which case the field will be set to null and may not appear in the list.</P> <P>For your example, you should see an additional field in the field picker named <B><CODE>a</CODE></B>, containing a value of <B><CODE>3</CODE></B>.</P> <P><BR /> <CODE>xmlkv</CODE> is actually a python-based command in the search app, so you can look at the source code in <CODE>apps/search/bin/xmlkv.py</CODE> if you're so inclined.</P> Thu, 06 Jan 2011 09:28:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21008#M3095 southeringtonp 2011-01-06T09:28:41Z https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21009#M3096 <P>To add to what sotheringtop said, you can aways make a copy of the "xmlkv.py" script and make it multi-value aware so that "a" is returned as a muli-value field that contains [ 1, 2, 3 ].</P> <P>But on second thought, it may be easier to just do this with a transformer like so:</P> <PRE><CODE>[xmlkv_multivalue] REGEX = &lt;(.*?)(?:\s[^&gt;]*)?&gt;([^&lt;]*)&lt;/\\1&gt; FORMAT = $1::$2 MV_ADD = true </CODE></PRE> <P>So instead of adding <CODE>| xmlkv</CODE> to you search, add <CODE>| extract xmlkv_multivalue</CODE> and see if that gets you what you want.</P> Thu, 06 Jan 2011 09:47:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21009#M3096 Lowell 2011-01-06T09:47:40Z https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21010#M3097 <P>Thank you for responding so quickly and with fantastic descriptions. </P> <P>At this point I've extracted the parent element of the "a" elements and do searches with preceding and trailing *.</P> Fri, 07 Jan 2011 03:06:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21010#M3097 Zambonilli 2011-01-07T03:06:36Z https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21011#M3098 <P>Agreed - this is a better way.</P> Fri, 07 Jan 2011 10:33:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/21011#M3098 southeringtonp 2011-01-07T10:33:31Z https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/624621#M107368 <P>|spath handles both JSON and XML.</P><LI-CODE lang="markup">|makeresults |eval _raw="&lt;a&gt;1&lt;/a&gt;&lt;a&gt;2&lt;/a&gt;&lt;a&gt;3&lt;/a&gt;" |spath path=a output=a</LI-CODE><P>...or just</P><LI-CODE lang="markup">|makeresults |eval _raw="&lt;a&gt;1&lt;/a&gt;&lt;a&gt;2&lt;/a&gt;&lt;a&gt;3&lt;/a&gt;" |spath</LI-CODE><P>&nbsp;</P> Sat, 17 Dec 2022 00:11:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-does-xmlkv-work/m-p/624621#M107368 scombs 2022-12-17T00:11:57Z