topic Re: how to display all values within the same field name. in Splunk Search

how to display all values within the same field name.

ndayanat — Mon, 27 Mar 2017 21:23:12 GMT

     Ex log:
     (This is a XML log, giving details from the middle and not the entire log)

 Event 1: 
 <students>
 <student name="Raja" age="13" class="6" />
 <student name="Nar" age="15" class'"8" />
 <student name="Mag" age="16" class="7" />
 </students>

 Event 2:
 <students>
 <student name="Rex" age="13" class="6" />
 <student name="Nanny" age="15" class'"8" />
 </students>

I need to know the values under the field "Name". As you can see the count varies for each event. When i check the values it just displays the first value of each of the event.

Re: how to display all values within the same field name.

briancronrath — Mon, 27 Mar 2017 21:28:21 GMT

What is your regex that is extracting it currently?

Re: how to display all values within the same field name.

niketn — Mon, 27 Mar 2017 21:56:48 GMT

@ndayanat... Ideally you should be using either spath or xpath command to traverse XML data.

Following should return all names

| spath path=students.student{}{@name}

Following can be used to find specific position of name

| spath path=students.student{1}{@name}

Read spath documentation or details: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#6:_Extract_a_subset_of_a_XML_attribute

Since you are getting only first value seems like you are using rex command which by default returns only the first match. you can add max_match=0 to rex command to return all matches for regular expression based name field extraction.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Optional_arguments

Re: how to display all values within the same field name.

gcusello — Tue, 28 Mar 2017 07:08:36 GMT

Hi ndayanat,
using this regex you should have all name values (see https://regex101.com/r/8BNM95/1):

name\=\"(?<name>[^\"]*)

You can use it in a rex command | rex "name\=\"(?<name>[^\"]*)" or in a field extraction.

Bye.
Giuseppe

Re: how to display all values within the same field name.

ndayanat — Tue, 28 Mar 2017 23:21:04 GMT

@niketnilay,

Thanks for your time. I tried spath, but it doesnt seem to work. Used max_match=0 in rex and i worked fine. Not able to understand the difference.

Re: how to display all values within the same field name.

niketn — Wed, 29 Mar 2017 04:49:23 GMT

@ndayanat... for spath or xpath one of the requirement would be that you have XML extracted in field. Which you define as input to the command and based on the path provided output will show you the extracted field. So you can try printing the field provided as input and field selected as output to test whether XML is correct or not and that output field is showing value or not.