topic Re: extract xml field in Dashboards & Visualizations

extract xml field

SplunkCSIT — Wed, 02 Apr 2014 09:21:27 GMT

i'm new to xml, need help on the following: I got alot of catalogs and some catalog got more books and some got less books. Below is the example of one of the catalog. For this catalog, i got two books and each book have its own key=value that belong to its book. What would be the best approach to extract the key-values pair for each book for each catalog.
thks

<?xml version="1.0"?>

   <catalog>

    <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
     </book>

    <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
     </book>


  </catalog>

Re: extract xml field

MuS — Wed, 02 Apr 2014 11:09:12 GMT

Hi,

take a look at the spath command, this will take care of XML/JSON data and extract the key=value for you.

cheers, MuS

Re: extract xml field

MuS — Wed, 02 Apr 2014 11:32:31 GMT

or you set the KV_MODE=xml for your source/sourcetype in props.conf http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

Re: extract xml field

SplunkCSIT — Wed, 02 Apr 2014 13:33:25 GMT

thks a lot, how to create the table such to show unique author if the the author had more than 1 title? thks

author Title
Gambardella, Matthew XML Developer's Guide
XML Developer's Guide1

Re: extract xml field

MuS — Wed, 02 Apr 2014 13:47:31 GMT

YourBaseSearchHere | chart values(Title) as Title by author

and please tick the tick to mark this as answered, you can also upvote it 😉

Re: extract xml field

SplunkCSIT — Thu, 03 Apr 2014 01:02:55 GMT

KV_MODE=xml for your source/sourcetype in props.conf is to be configure at forwarder end or indexer end? thks

Re: extract xml field

MuS — Thu, 03 Apr 2014 06:48:28 GMT

this is search related and therefore it goes into props.conf on the indexer, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F for more detailed informations

Re: extract xml field

to4kawa — Sat, 07 Dec 2019 09:48:18 GMT

| makeresults 
| eval _raw="<?xml version=\"1.0\">

    <catalog>

     <book id=\"bk101\">
       <author>Gambardella, Matthew</author>
       <title>XML Developer's Guide</title>
       <genre>Computer</genre>
       <price>44.95</price>
       <publish_date>2000-10-01</publish_date>
       <description>An in-depth look at creating applications 
       with XML.</description>
      </book>

     <book id=\"bk101\">
       <author>Gambardella, Matthew</author>
       <title>XML Developer's Guide</title>
       <genre>Computer</genre>
       <price>44.95</price>
       <publish_date>2000-10-01</publish_date>
       <description>An in-depth look at creating applications 
       with XML.</description>
      </book>


   </catalog>"
| spath
| rename catalog.book.* as *
| rename "catalog.book{@id}" as id
| eval counter=mvrange(1,mvcount(id) + 1)
| stats values(*) as * by counter
| table id author title genre price publish_date description

In this case, you can expand with this query.