topic Re: How to extract Major_Brand_Display_Name value from xml in Splunk Search

How to extract Major_Brand_Display_Name value from xml

kirankotla — Sun, 13 Nov 2016 00:46:48 GMT

           <EmailAddress>RON@xyz.COM</EmailAddress>
           <Attributes>
              <Name>Addressee_Name</Name>
              <Value>bng</Value>
           </Attributes>
           <Attributes>
              <Name>xyz</Name>
              <Value>xyz</Value>
           </Attributes>

           <Attributes>
              <Name>pqr</Name>
              <Value></Value>
           </Attributes>
           <Attributes>
              <Name>xxxx</Name>
              <Value>zzzz</Value>
           </Attributes>

        </Subscribers>

Re: How to extract Major_Brand_Display_Name value from xml

gokadroid — Sun, 13 Nov 2016 02:34:00 GMT

If all of this is a part of single event and you want to extract any one of the above tag name or tag values then just replace the last line of the below query with that tag name exa. | where tagName="Major_Brand_Display_Name | fields - tagName"

index=yourIndex sourcetype=yourSourcetype earliest=-7d@d
| rex field=_raw max_match=0 "\<Name\>(?<name>[^\<]+)<\/Name\>" 
| rex field=_raw max_match=0 "\<Value\>(?<value>[^\<]+)\<\/Value\>" 
| eval z=mvzip(name, value, "~") 
| mvexpand z 
| rex field=z "(?<tagName>[^~]+)~(?<tagValue>.*)" 
| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

Updating as per comments

Re: How to extract Major_Brand_Display_Name value from xml

kirankotla — Tue, 29 Sep 2020 11:44:49 GMT

Awesome! thank you so much.
Is it possible to use timechat based on Major_Brand_Display_Name line timechart span=7d count by Major_Brand_Display_Name

Re: How to extract Major_Brand_Display_Name value from xml

gokadroid — Sun, 13 Nov 2016 03:37:25 GMT

Firstly choose either the time picker for last 7 days or in your query add the earliest=-7d@din the first line where you search your query to get the above xml data as event as something like index=yourIndex sourcetype=yourSourcetype earliest=-7d@d. After that change the last three lines of query as follows where you add the _time in table first, and then chart it later on:

| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

If this works well then please accept the answer and upvote so the question can be closed.

Re: How to extract Major_Brand_Display_Name value from xml

gokadroid — Tue, 29 Sep 2020 11:48:29 GMT

I am down voting this as the question data has been changed after answering the question. the answer given below was for the earlier data (xml tags and values) and it seemed to have work fine for @kirankotla as per user's comments. now at its current state the xml data in question is not intuitive for community users to answer this question and lacks info as to where does "major_brand_display_name" exist as part of xml. Is it a tag <Name> for which a <Value> is required or this text exists as part of <Value> itself and needs an extraction?

Re: How to extract Major_Brand_Display_Name value from xml

kirankotla — Mon, 14 Nov 2016 04:28:32 GMT

Hi gokadroid

As per privacy policy,i removed original data.