topic Extracting value from XML tags in Getting Data In

Extracting value from XML tags

sushma6 — Wed, 12 Mar 2014 04:51:52 GMT

Hi,

Can you help me out in extracting information between the XML tags and perform division operation on it.

In my XML file I have something called 24 , this is one event and other event is 6

Now I need to extract the filesize value i.e. 24 and transtime value i.e. 6 and want to perform divison of filesize/transtime and splunk needs to show the output value i.e. 24/6=4.

I tried out using xmlkv and spath, it is not working out.

Can you help!

Cheers,
Sushma.

Re: Extracting value from XML tags

MuS — Wed, 12 Mar 2014 06:26:32 GMT

Hi sushma6,

something like this should work:

... | spath | eval myDevision=filesize/transtime | table myDevision

This is because when spath is called with no path argument, spath runs in "auto-extract" mode, where it finds and extracts all the fields from the first 5000 characters in the input field which defaults to _raw if another input source isn't specified.

If spathreally does not work, you could try some regex to get the fields like this:

... | rex "\<filesize\>\s(?<myFilesize>\d+)\s.+\<transtime\>\s(?<myTranstime>\d+)\s" | eval myDevision=myFilesize/myTranstime | table myDevision

btw, are you aware that there are some spaces around the numeric values or is this just a copy/paste error?
In your case you can remove spaces from values like this:

... | spath | eval myFilesize=ltrim(filesize) | eval myTranstime=ltrim(transtime) | eval myDevision=myFilesize/myTranstime | table myDevision

hope this helps ...

cheers, MuS

Re: Extracting value from XML tags

sbrant_splunk — Wed, 12 Mar 2014 06:28:33 GMT

One possibility is to use an inline rex or EXTRACT via props.conf. The inline rex(s) would look something like this:

<your base search> | rex "\<filesize\>\s*(?<fsize>\d+)\s*\<\/filesize\>" | rex "\<transtime\>\s*(?<ttime>\d+)\s*\<\/transtime\>" | eval avgtime=fsize/ttime

Out of curiosity, what sort of trouble are you having with xmlkv and spath?