https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339985#M22086 <BLOCKQUOTE> <P>I have a CSV file with 2 fields : time,xml_data</P> </BLOCKQUOTE> <P>As long as you know the name of the field in the CSV which contains the XML spath will work at seach time</P> <PRE><CODE>&lt;your search which includes your csv events&gt;| spath xml_data </CODE></PRE> Thu, 14 Dec 2017 14:20:33 GMT nickhills 2017-12-14T14:20:33Z https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339982#M22083 <P>Hi there,</P> <P>I have a CSV file with 2 fields : time,xml_data.<BR /> Is there anyway I can parse the xml_data field as XML ?</P> <P>This is a nested XML inside a CSV field and I would prefer to parse it on index time (if not, parsing on search time is also acceptable).</P> <P>Thanks</P> Tue, 29 Sep 2020 17:14:34 GMT https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339982#M22083 moneybox 2020-09-29T17:14:34Z https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339983#M22084 <P>Hi @moneybox,</P> <P>You can use <CODE>spath</CODE> for same. Check below search.</P> <PRE><CODE>|inputlookup mylookup | eval _raw=XML_DATA_FIELD | spath output=.. path=.. | table .. </CODE></PRE> <P>Please check my sample search from below doc</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Spath">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Spath</A></P> <PRE><CODE>| makeresults | eval A="&lt;?xml version=\"1.0\"&gt; &lt;purchases&gt; &lt;book&gt; &lt;author&gt;Martin, George R.R.&lt;/author&gt; &lt;title yearPublished=1996&gt;A Game of Thrones&lt;/title&gt; &lt;title yearPublished=1998&gt;A Clash of Kings&lt;/title&gt; &lt;/book&gt; &lt;book&gt; &lt;author&gt;Clarke, Susanna&lt;/author&gt; &lt;title yearPublished=2004&gt;Jonathan Strange and Mr. Norrell&lt;/title&gt; &lt;/book&gt; &lt;book&gt; &lt;author&gt;Kay, Guy Gavriel&lt;/author&gt; &lt;title yearPublished=1990&gt;Tigana&lt;/title&gt; &lt;/book&gt; &lt;book&gt; &lt;author&gt;Bujold, Lois McMasters&lt;/author&gt; &lt;title yearPublished=1986&gt;The Warrior's Apprentice&lt;/title&gt; &lt;/book&gt; &lt;/purchases&gt;" | eval _raw=A | spath output=dates path=purchases.book.title{@yearPublished} | table dates </CODE></PRE> <P>Thanks</P> Thu, 14 Dec 2017 09:51:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339983#M22084 kamlesh_vaghela 2017-12-14T09:51:05Z https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339984#M22085 <P>Thank you, but that works for cases I know what fields should I expect.<BR /> Is there anything that could automatically convert the nested XML to searchable fields in Index Time ?<BR /> Meaning, I want to extract all fields from the nested XML without knowing them.</P> <P>Thanks again </P> Thu, 14 Dec 2017 11:46:45 GMT https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339984#M22085 moneybox 2017-12-14T11:46:45Z https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339985#M22086 <BLOCKQUOTE> <P>I have a CSV file with 2 fields : time,xml_data</P> </BLOCKQUOTE> <P>As long as you know the name of the field in the CSV which contains the XML spath will work at seach time</P> <PRE><CODE>&lt;your search which includes your csv events&gt;| spath xml_data </CODE></PRE> Thu, 14 Dec 2017 14:20:33 GMT https://community.splunk.com/t5/Dashboards-Visualizations/parse-XML-embedded-in-a-field/m-p/339985#M22086 nickhills 2017-12-14T14:20:33Z