https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216598#M63574 <P>Maybe try adding <CODE>KV_MODE = xml</CODE> in your Search head <CODE>props.conf</CODE>? </P> Tue, 03 Nov 2015 18:55:47 GMT tmarlette 2015-11-03T18:55:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216596#M63572 <P>Hi ,</P> <P>Splunk is pulling data from URLs , which is having below format:</P> <PRE><CODE>&lt;DocumentElement&gt; &lt;CMN_DEPARTMENT&gt;&lt;id&gt;DEP00001044&lt;/id&gt;&lt;sys_id&gt;0036651c6fffb000c60337c64f3ee4ac&lt;/sys_id&gt;&lt;/CMN_DEPARTMENT&gt; &lt;CMN_DEPARTMENT&gt;&lt;id&gt;DEP00001045&lt;/id&gt;&lt;sys_id&gt;0036651c6fffb000c60337c64f3ee4ab&lt;/sys_id&gt;&lt;/CMN_DEPARTMENT&gt; &lt;CMN_DEPARTMENT&gt;&lt;id&gt;DEP00001046&lt;/id&gt;&lt;sys_id&gt;0036651c6fffb000c60337c64f3ee4ad&lt;/sys_id&gt;&lt;/CMN_DEPARTMENT&gt; &lt;CMN_DEPARTMENT&gt;&lt;id&gt;DEP00001047&lt;/id&gt;&lt;sys_id&gt;0036651c6fffb000c60337c64f3ee4ae&lt;/sys_id&gt;&lt;/CMN_DEPARTMENT&gt; &lt;CMN_DEPARTMENT&gt;&lt;id&gt;DEP00001048&lt;/id&gt;&lt;sys_id&gt;0036651c6fffb000c60337c64f3ee4af&lt;/sys_id&gt;&lt;/CMN_DEPARTMENT&gt; &lt;CMN_DEPARTMENT&gt;&lt;id&gt;DEP00001049&lt;/id&gt;&lt;sys_id&gt;0036651c6fffb000c60337c64f3ee4ag&lt;/sys_id&gt;&lt;/CMN_DEPARTMENT&gt; &lt;DocumentElement&gt; </CODE></PRE> <P>Here DocumentElement is the root element, CMN_DEPARTMENT is child element and having "sys_id" are leaf nodes. When I extract index, I'm getting only one sys_id out of 5-6 ids under one event. Like this, we will have 24 events per day (i.e. pulling data from URL every one hour).</P> <P>How to extract each sys_id into index and perform search operations on it?</P> <P>Thanks in advance.</P> Tue, 29 Sep 2020 07:47:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216596#M63572 SrinivasaC 2020-09-29T07:47:30Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216597#M63573 <P>Have you tried using the <CODE>xmlkv</CODE> command ?</P> Tue, 03 Nov 2015 18:47:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216597#M63573 aljohnson_splun 2015-11-03T18:47:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216598#M63574 <P>Maybe try adding <CODE>KV_MODE = xml</CODE> in your Search head <CODE>props.conf</CODE>? </P> Tue, 03 Nov 2015 18:55:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216598#M63574 tmarlette 2015-11-03T18:55:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216599#M63575 <P>Yes, we tried with xmlkv command &amp; "KV_MODE = xml" in props.conf<BR /> We are getting all the results as list basis not in event base means <BR /> ex: 0036651c6fffb000c60337c64f3ee4ac<BR /><BR /> 0036651c6fffb000c60337c64f3ee4ab<BR /><BR /> 0036651c6fffb000c60337c64f3ee4ad <BR /> 0036651c6fffb000c60337c64f3ee4af<BR /><BR /> 0036651c6fffb000c60337c64f3ee4ag</P> <P>Its whole result comes under one result (showing as list/values command).</P> <P>I need it as separate events.</P> Wed, 04 Nov 2015 06:13:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-extract-fields-from-XML-child-and-leaf-nodes/m-p/216599#M63575 SrinivasaC 2015-11-04T06:13:56Z