topic Re: How to split multilevel XML to extract fields and values? in Splunk Search

How to split multilevel XML to extract fields and values?

Shan — Wed, 15 Jul 2015 12:45:55 GMT

<messaging><messaging_id>data_range</messaging_id><currentTimeStamp>2015-06-11-090445569807</currentTimeStamp>
<TransStatus>Fee Query</TransStatus><IpAddress>180.31.2.21</IpAddress><Port>1342</Port><Header><termID>GET</termID>
</Header><partner><id><range>GTEST</range></id></partner>

From the above mentioned result.
I need to get the values as mentioned below using the rex command. Is it possible?
All the above mentioned values are available in single field _raw.

messaging_id   |    currentTimeStamp     |      range  
data_range     | 2015-06-11-090445569807 |      GTEST

In some posts I saw show we can separate it using spath.
I tried the same, but it's not working.
I want to split it like below.
If any other solution is out there, let me know that too.

Sample Code

<vendorProductSet vendorID="2">
            <product productID="17" units="mm" >
                <prodName nameGroup="custom">
                    <locName locale="all">APLI 01209</locName>
                </prodName>
                <desc descGroup="custom">
                    <locDesc locale="es">Precios</locDesc>
                    <locDesc locale="fr">Prix</locDesc>
                    <locDesc locale="de">Preise</locDesc>
                    <locDesc locale="ca">Preus</locDesc>
                    <locDesc locale="pt">Preços</locDesc> 
                </desc>
           </product>

       | spath output=locDesc path=vendorProductSet.product.desc.locDesc

Result should be :

Precios Prix Preise

I tried with below examples, but it's not working.

source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View"
 | spath Masking_View.View_Info.stor_grpname 
 | spath Masking_View.View_Info.Device.dev_name  
 | spath Masking_View.View_Info.Totals.total_dev_cap_mb  
 | table  Masking_View.View_Info.stor_grpname

props.conf

C:\Program Files\Splunk\etc\system\local

source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View" 
 | rename Masking_View.View_Info.stor_grpname as sg_name
 | rename Masking_View.View_Info.Device.dev_name as dev_name
 | rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb 
 | fields sg_name, dev_name, total_dev_cap_mb | eval f=substr(dev_name,1,2)  | table f

and

 source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View"  | rex field=_raw  "^(?:[^ \n]* ){7}(?P<xml>.+)"  | spath xml

Re: How to split multilevel XML to extract fields and values?

sbbadri — Tue, 29 Sep 2020 06:42:08 GMT

Hi Shankarananth,

you can try to extract the field by using props.conf and transforms.conf instead of spath.

Below is example

$SPLUNK_HOME/etc/app/your_app/local/props.conf

[your_sourcetype]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields

$SPLUNK_HOME/etc/app/your_app/local/transforms.conf

[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2 
MV_ADD = True

I hope this will help you.

Regards,
Badri Srinivas B

Re: How to split multilevel XML to extract fields and values?

Shan — Tue, 29 Sep 2020 06:48:46 GMT

Hi Badri Srinivas,

Thanks for your reply and sorry for late reply.
I added details as u mentioned in props.conf and transforms.conf . But still it's not working for me .
I think i am doing some wrong approach in search query.
Below mentioned is the search query i'm using to fetch that xml data filed.

If i'm wrong correct me.
Thanks in advance .

Re: How to split multilevel XML to extract fields and values?

Shan — Tue, 29 Sep 2020 06:46:48 GMT

Hai Badri Srinivas,

Thanks for your answer and sorry for my late response.
As you mentioned i have been added required details in props.conf and transforms.conf.

transforms.conf

[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2
MV_ADD = True

props.conf

[Gate]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields

Still I'm not getting that XMl split-ted values.
Might be i'm doing something wrong in search query.

below mentioned is the search query i'm using.

sourcetype="Gate_View"
| rename Masking_View.View_Info.stor_grpname as sg_name
| rename Masking_View.View_Info.Device.dev_name as dev_name
| rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb
| fields sg_name, dev_name, total_dev_cap_mb

If i'm wrong kindly correct me .

Thanks in advance.

Re: How to split multilevel XML to extract fields and values?

sbbadri — Mon, 27 Jul 2015 15:19:29 GMT

Hi Shankarananth,

You need to change the regex expression according to you xml source.

Regards,
Badri Srinivas B