https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638799#M221334 <P>Hi,</P> <P>I have the following event (XML) in Splunk, how can I create a dashboard of this XML?</P> <P>&lt;JOB<BR />APPLICATION="AFT-DTA"<BR />CREATION_DATE="20191119"<BR />JOBNAME="T-JOBA"<BR />NODEID="10067"<BR />&lt;VARIABLE NAME="%%FTP-ACCOUNT" VALUE="FIC+DBD"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LOSTYPE" VALUE="Unix"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-CONNTYPE1" VALUE="SFTP"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LHOST" VALUE="61021"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LUSER" VALUE="aft"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-ROSTYPE" VALUE="Windows"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RHOST" VALUE="dbd7006"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RUSER" VALUE="aftp"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LPATH1" VALUE="DIRA"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RPATH1" VALUE="DIRB"/&gt;<BR />&lt;/JOB&gt;<BR />&lt;JOB<BR />APPLICATION="AFT-DTA"<BR />CREATION_DATE="20200113"<BR />JOBNAME="A-JOBB"<BR />NODEID="10007"<BR />&lt;VARIABLE NAME="%%FTP-ACCOUNT" VALUE="SDP+FIC"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LOSTYPE" VALUE="Unix"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-CONNTYPE1" VALUE="SFTP"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LHOST" VALUE="sdp9009"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LUSER" VALUE="aftp"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-ROSTYPE" VALUE="Unix"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-CONNTYPE2" VALUE="SFTP"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RHOST" VALUE="61021"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RUSER" VALUE="aft"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LPATH1" VALUE="DIRA"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RPATH1" VALUE="DIRB"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LPATH2" VALUE="DIRC"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RPATH2" VALUE="DIRD"/&gt;<BR />&lt;/JOB&gt;</P> <P>&nbsp;</P> <P>Table should look like:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="11.11111111111111%" height="24px">ENV</TD> <TD width="11.11111111111111%" height="24px">JOBNAME</TD> <TD width="11.11111111111111%" height="24px">NODEID</TD> <TD width="11.11111111111111%" height="24px">LCON</TD> <TD width="11.11111111111111%" height="24px">LHOST</TD> <TD width="11.11111111111111%" height="24px">LPATH</TD> <TD width="11.11111111111111%" height="24px">RCON</TD> <TD width="11.11111111111111%" height="24px">RHOST</TD> <TD width="11.11111111111111%" height="24px">RPATH</TD> </TR> <TR> <TD width="11.11111111111111%" height="24px">TST</TD> <TD width="11.11111111111111%" height="24px">T-JOBA</TD> <TD width="11.11111111111111%" height="24px">10067</TD> <TD width="11.11111111111111%" height="24px">FIC</TD> <TD width="11.11111111111111%" height="24px">61021</TD> <TD width="11.11111111111111%" height="24px">DIRA</TD> <TD width="11.11111111111111%" height="24px">DBD</TD> <TD width="11.11111111111111%" height="24px">dbd7006</TD> <TD width="11.11111111111111%" height="24px">DIRB</TD> </TR> <TR> <TD width="11.11111111111111%" height="24px">ACC</TD> <TD width="11.11111111111111%" height="24px">A-JOBB</TD> <TD width="11.11111111111111%" height="24px">10007</TD> <TD width="11.11111111111111%" height="24px">SDP</TD> <TD width="11.11111111111111%" height="24px">sdp9009</TD> <TD width="11.11111111111111%" height="24px"> <P>DIRA<BR />DIRC</P> </TD> <TD width="11.11111111111111%" height="24px">FIC</TD> <TD width="11.11111111111111%" height="24px">61021</TD> <TD width="11.11111111111111%" height="24px">DIRB<BR />DIRC</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Where ENV depends on first letter of JOBNAME</P> <P>Where LCON is the value of&nbsp;FTP-ACCOUNT" before the + sign.<BR />Where RCON is the value of&nbsp;FTP-ACCOUNT" after the + sign.</P> <P>LPATH / RPATH can have multiple values where&nbsp;</P> Thu, 06 Apr 2023 19:05:33 GMT ns102 2023-04-06T19:05:33Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638799#M221334 <P>Hi,</P> <P>I have the following event (XML) in Splunk, how can I create a dashboard of this XML?</P> <P>&lt;JOB<BR />APPLICATION="AFT-DTA"<BR />CREATION_DATE="20191119"<BR />JOBNAME="T-JOBA"<BR />NODEID="10067"<BR />&lt;VARIABLE NAME="%%FTP-ACCOUNT" VALUE="FIC+DBD"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LOSTYPE" VALUE="Unix"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-CONNTYPE1" VALUE="SFTP"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LHOST" VALUE="61021"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LUSER" VALUE="aft"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-ROSTYPE" VALUE="Windows"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RHOST" VALUE="dbd7006"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RUSER" VALUE="aftp"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LPATH1" VALUE="DIRA"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RPATH1" VALUE="DIRB"/&gt;<BR />&lt;/JOB&gt;<BR />&lt;JOB<BR />APPLICATION="AFT-DTA"<BR />CREATION_DATE="20200113"<BR />JOBNAME="A-JOBB"<BR />NODEID="10007"<BR />&lt;VARIABLE NAME="%%FTP-ACCOUNT" VALUE="SDP+FIC"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LOSTYPE" VALUE="Unix"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-CONNTYPE1" VALUE="SFTP"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LHOST" VALUE="sdp9009"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LUSER" VALUE="aftp"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-ROSTYPE" VALUE="Unix"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-CONNTYPE2" VALUE="SFTP"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RHOST" VALUE="61021"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RUSER" VALUE="aft"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LPATH1" VALUE="DIRA"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RPATH1" VALUE="DIRB"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-LPATH2" VALUE="DIRC"/&gt;<BR />&lt;VARIABLE NAME="%%FTP-RPATH2" VALUE="DIRD"/&gt;<BR />&lt;/JOB&gt;</P> <P>&nbsp;</P> <P>Table should look like:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="11.11111111111111%" height="24px">ENV</TD> <TD width="11.11111111111111%" height="24px">JOBNAME</TD> <TD width="11.11111111111111%" height="24px">NODEID</TD> <TD width="11.11111111111111%" height="24px">LCON</TD> <TD width="11.11111111111111%" height="24px">LHOST</TD> <TD width="11.11111111111111%" height="24px">LPATH</TD> <TD width="11.11111111111111%" height="24px">RCON</TD> <TD width="11.11111111111111%" height="24px">RHOST</TD> <TD width="11.11111111111111%" height="24px">RPATH</TD> </TR> <TR> <TD width="11.11111111111111%" height="24px">TST</TD> <TD width="11.11111111111111%" height="24px">T-JOBA</TD> <TD width="11.11111111111111%" height="24px">10067</TD> <TD width="11.11111111111111%" height="24px">FIC</TD> <TD width="11.11111111111111%" height="24px">61021</TD> <TD width="11.11111111111111%" height="24px">DIRA</TD> <TD width="11.11111111111111%" height="24px">DBD</TD> <TD width="11.11111111111111%" height="24px">dbd7006</TD> <TD width="11.11111111111111%" height="24px">DIRB</TD> </TR> <TR> <TD width="11.11111111111111%" height="24px">ACC</TD> <TD width="11.11111111111111%" height="24px">A-JOBB</TD> <TD width="11.11111111111111%" height="24px">10007</TD> <TD width="11.11111111111111%" height="24px">SDP</TD> <TD width="11.11111111111111%" height="24px">sdp9009</TD> <TD width="11.11111111111111%" height="24px"> <P>DIRA<BR />DIRC</P> </TD> <TD width="11.11111111111111%" height="24px">FIC</TD> <TD width="11.11111111111111%" height="24px">61021</TD> <TD width="11.11111111111111%" height="24px">DIRB<BR />DIRC</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Where ENV depends on first letter of JOBNAME</P> <P>Where LCON is the value of&nbsp;FTP-ACCOUNT" before the + sign.<BR />Where RCON is the value of&nbsp;FTP-ACCOUNT" after the + sign.</P> <P>LPATH / RPATH can have multiple values where&nbsp;</P> Thu, 06 Apr 2023 19:05:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638799#M221334 ns102 2023-04-06T19:05:33Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638802#M221336 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/255570">@ns102</a>&nbsp;</P><P>What have you tried so far?</P> Wed, 05 Apr 2023 09:18:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638802#M221336 Gr0und_Z3r0 2023-04-05T09:18:08Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638852#M221358 <P>Hi,</P><P>Not much <span class="lia-unicode-emoji" title=":winking_face:">😉</span> I'm new to Splunk and really struggling to add &lt;VARIABLE NAME&gt; to my output.<BR />At the moment I have the following. So that's quite basic;</P><P>&nbsp;| table DEFTABLE.FOLDER.JOB* |<BR />rename DEFTABLE.FOLDER.JOB{@*} as * |<BR />eval temp=mvzip(JOBNAME,mvzip(NODEID,APPLICATION,"&amp;"),"&amp;")<BR />| table temp<BR />| mvexpand temp<BR />| rex field=temp "(?&lt;JOBNAME&gt;.*)&amp;(?&lt;NODEID&gt;.*)&amp;(?&lt;APPLICATION&gt;.*)" | fields - temp</P> Wed, 05 Apr 2023 14:59:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638852#M221358 ns102 2023-04-05T14:59:21Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638950#M221401 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/255570">@ns102</a>&nbsp;<BR /><BR />To get you started,&nbsp; here is something you can do to achieve a table of information you want.<BR />There'll be better ways to do it, but this yields what you are after.<BR /><BR />This is assuming, you are seeing 2 jobs as a single event. Ideally, each job should be treated as a separate event with its own timestamp. This can be done by updating the sourcetype configuration in props.conf, as part of the data ingestion process.<BR />Secondly, to speed things up I would suggest extracting fields during ingestion period, rather than doing it on search time.&nbsp;<BR />For the ENV value, I would suggest creating a lookup, that checks the jobname and returns the environment value. Furthermore, you can setup an automatic lookup so that ENV field is already present even during search time. This way you can just update and maintain the lookup values to accommodate more environments and jobs as and when you have.<BR /><BR />Also, while building dashboards I would recommend building a base-search and using those to get primary set of information to design panels and get insights out of. It will reduce the number of searches with field extractions and get you results as fast as it could.<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">source="xml.log" host="Beast" sourcetype="test-xml" | rex field=_raw "APPLICATION\=\"(?P&lt;app&gt;.*)\"" | rex mode=sed "s/[\r\n]+/ /g" | rex mode=sed "s/[\%]+//g" | eval job=trim(split(_raw,"&lt;JOB")) | fields _time job | stats values(_time) as _time by job | rex field=job "JOBNAME=\"(?P&lt;JOBNAME&gt;[\w\-]+)" | rex field=job "NODEID=\"(?P&lt;NODEID&gt;[\w\-]+)" | rex field=job "FTP\-ACCOUNT\"\sVALUE\=\"(?P&lt;LCON&gt;[\w]+)\+(?P&lt;RCON&gt;[\w]+)" | rex field=job "FTP\-LHOST\"\sVALUE\=\"(?P&lt;LHOST&gt;[\w]+)" | rex field=job "FTP\-RHOST\"\sVALUE\=\"(?P&lt;RHOST&gt;[\w]+)" | rex field=job "FTP-LPATH1\"\sVALUE\=\"(?P&lt;LPATH1&gt;[\w]+)\"\/\&gt;\s\&lt;VARIABLE\sNAME\=\"FTP-RPATH1\"\sVALUE\=\"(?P&lt;RPATH1&gt;[\w]+)\"\/\&gt;" | rex field=job "FTP-LPATH2\"\sVALUE\=\"(?P&lt;LPATH2&gt;[\w]+)\"\/\&gt;\s\&lt;VARIABLE\sNAME\=\"FTP-RPATH2\"\sVALUE\=\"(?P&lt;RPATH2&gt;[\w]+)\"\/\&gt;" | fillnull LPATH2,RPATH2 value=null | eval LPATH = LPATH1+","+LPATH2 | eval LPATH =replace(LPATH,",null","") | eval RPATH = RPATH1+","+RPATH2 | eval RPATH =replace(RPATH,",null","") | eval ENV=if(JOBNAME="T-JOBA","TST",if(JOBNAME="A-JOBB","ACC","OTHER_ENV")) | table ENV JOBNAME NODEID LCON LHOST LPATH RCON RHOST RPATH | where isnotnull(JOBNAME)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Gr0und_Z3r0_0-1680761059846.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24806i25B984BF0B231620/image-size/medium?v=v2&amp;px=400" role="button" title="Gr0und_Z3r0_0-1680761059846.png" alt="Gr0und_Z3r0_0-1680761059846.png" /></span></P><P>&nbsp;</P><P><BR />~ If the reply helps, an upvote would be appreciated.</P><P>&nbsp;</P> Thu, 06 Apr 2023 06:04:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638950#M221401 Gr0und_Z3r0 2023-04-06T06:04:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638981#M221408 <P>Wow, I can really go further with this and when I get more experience with Splunk I will make improvements. for now it's a perfect ! Thank you so much!</P><P>LPATH and RPATH are still empty&nbsp; but that's because the value can also contain / _ and \ characters. hopefully I'll can figure this out.</P> Thu, 06 Apr 2023 09:01:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/638981#M221408 ns102 2023-04-06T09:01:55Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/639056#M221431 <P>Your Q is truncated so I could not do everything but this should get you far enough to finish:</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;JOB APPLICATION=\"AFT-DTA\" CREATION_DATE=\"20191119\" JOBNAME=\"T-JOBA\" NODEID=\"10067\" &lt;VARIABLE NAME=\"%%FTP-ACCOUNT\" VALUE=\"FIC+DBD\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LOSTYPE\" VALUE=\"Unix\"/&gt; &lt;VARIABLE NAME=\"%%FTP-CONNTYPE1\" VALUE=\"SFTP\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LHOST\" VALUE=\"61021\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LUSER\" VALUE=\"aft\"/&gt; &lt;VARIABLE NAME=\"%%FTP-ROSTYPE\" VALUE=\"Windows\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RHOST\" VALUE=\"dbd7006\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RUSER\" VALUE=\"aftp\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LPATH1\" VALUE=\"DIRA\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RPATH1\" VALUE=\"DIRB\"/&gt; &lt;/JOB&gt; &lt;JOB APPLICATION=\"AFT-DTA\" CREATION_DATE=\"20200113\" JOBNAME=\"A-JOBB\" NODEID=\"10007\" &lt;VARIABLE NAME=\"%%FTP-ACCOUNT\" VALUE=\"SDP+FIC\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LOSTYPE\" VALUE=\"Unix\"/&gt; &lt;VARIABLE NAME=\"%%FTP-CONNTYPE1\" VALUE=\"SFTP\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LHOST\" VALUE=\"sdp9009\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LUSER\" VALUE=\"aftp\"/&gt; &lt;VARIABLE NAME=\"%%FTP-ROSTYPE\" VALUE=\"Unix\"/&gt; &lt;VARIABLE NAME=\"%%FTP-CONNTYPE2\" VALUE=\"SFTP\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RHOST\" VALUE=\"61021\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RUSER\" VALUE=\"aft\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LPATH1\" VALUE=\"DIRA\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RPATH1\" VALUE=\"DIRB\"/&gt; &lt;VARIABLE NAME=\"%%FTP-LPATH2\" VALUE=\"DIRC\"/&gt; &lt;VARIABLE NAME=\"%%FTP-RPATH2\" VALUE=\"DIRD\"/&gt; &lt;/JOB&gt;" | rename COMMENT AS "EVERYTHING ABOVE IS CREATING FAKE DATA; EVERYTHING BELOW IS YOUR SOLUTION" | rex field=_raw mode=sed "s/\&lt;VARIABLE NAME=\"//g s/\"\s+VALUE=/=/g s/\/&gt;//g" | kv | rex field=JOBNAME "^(?&lt;ENV&gt;\w+)-(?&lt;JOBNAME&gt;.*)$" | rex field=FTP_ACCOUNT "^(?&lt;LCON&gt;[^+]+)\+(?&lt;RCON&gt;.*)$" | eval LPATH="" | foreach FTP_LPATH* [ eval LPATH=mvappend(LPATH, &lt;&lt;FIELD&gt;&gt;) | fields - &lt;&lt;FIELD&gt;&gt; ] | eval RPATH="" | foreach FTP_RPATH* [ eval RPATH=mvappend(RPATH, &lt;&lt;FIELD&gt;&gt;) | fields - &lt;&lt;FIELD&gt;&gt; ] | eval LHOST="" | foreach FTP_LHOST* [ eval LHOST=mvappend(LHOST, &lt;&lt;FIELD&gt;&gt;) | fields - &lt;&lt;FIELD&gt;&gt; ] | eval RHOST="" | foreach FTP_RHOST* [ eval RHOST=mvappend(RHOST, &lt;&lt;FIELD&gt;&gt;) | fields - &lt;&lt;FIELD&gt;&gt; ] | table ENV JOBNAME NODEID LCON LHOST LPATH RCON RHOST RPATH TST T-JOBA 10067 FIC 61021 DIRA DBD dbd7006 DIRB ACC A-JOBB 10007 SDP sdp9009 *</LI-CODE> Thu, 06 Apr 2023 18:03:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-dashboard-of-XML-file/m-p/639056#M221431 woodcock 2023-04-06T18:03:48Z