https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13209#M1184 <P>This should do the trick:</P> <P><CODE>EXTRACT-emailsize = &lt;email\s+size=["'](?&lt;emailSize&gt;\d)["'][&gt; ]</CODE></P> <P>Of course, if <CODE>size</CODE> isn't always the first attribute in the <CODE>email</CODE> element, then the regex can start to get ugly.</P> <P>If you are asking how you can automatically extract key value pairs using a combination of the element name and attribute name (like <CODE>emailSize</CODE>, <CODE>headerName</CODE>, <CODE>headerValue</CODE>, <CODE>commandClass</CODE>, <CODE>commandData</CODE>, ... and so on), then it's not something splunk does out of the box...</P> <P>You may also find the <CODE>xmlkv</CODE> command helpful. The the search <CODE>source=*.xml | xmlkv</CODE></P> Tue, 11 May 2010 02:44:20 GMT Lowell 2010-05-11T02:44:20Z https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13208#M1183 <P>could someone please explain what stanza configuration i should include in the props.conf file to extract the size attribute from <CODE>&lt;email&gt;</CODE> into the field emailSize. </P> <PRE><CODE>&lt;stream TimeScanned="1271078550"&gt; &lt;command class="MAIL FROM" data="&amp;lt;me@gmail.com&amp;gt; SIZE=42446" /&gt; &lt;email size="42521"&gt; &lt;header Name="attachmentname" Value="driver-install.pdf" /&gt; &lt;/email&gt; </CODE></PRE> <P></P> <P>thanks,</P> Tue, 11 May 2010 00:15:15 GMT https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13208#M1183 carmackd 2010-05-11T00:15:15Z https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13209#M1184 <P>This should do the trick:</P> <P><CODE>EXTRACT-emailsize = &lt;email\s+size=["'](?&lt;emailSize&gt;\d)["'][&gt; ]</CODE></P> <P>Of course, if <CODE>size</CODE> isn't always the first attribute in the <CODE>email</CODE> element, then the regex can start to get ugly.</P> <P>If you are asking how you can automatically extract key value pairs using a combination of the element name and attribute name (like <CODE>emailSize</CODE>, <CODE>headerName</CODE>, <CODE>headerValue</CODE>, <CODE>commandClass</CODE>, <CODE>commandData</CODE>, ... and so on), then it's not something splunk does out of the box...</P> <P>You may also find the <CODE>xmlkv</CODE> command helpful. The the search <CODE>source=*.xml | xmlkv</CODE></P> Tue, 11 May 2010 02:44:20 GMT https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13209#M1184 Lowell 2010-05-11T02:44:20Z https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13210#M1185 <P>If the regexes just get too crazy one other option is to leave props.conf alone and just use the xpath command at search time: </P> <PRE><CODE>&lt;your search&gt; | xpath "//email/@size" outfield=emailSize | search emailSize &gt; 40000 </CODE></PRE> Tue, 11 May 2010 14:29:45 GMT https://community.splunk.com/t5/Splunk-Search/xml-field-extraction/m-p/13210#M1185 sideview 2010-05-11T14:29:45Z