All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to fulfil the Output section for Web-pages data input?

emcathalo
New Member
‎09-21-2014 12:10 AM

My question concerns the "website Input" modular input. Is it possible to have examples of how to fulfil the "Output" section of a new "Web-pages" data input, please?

The current hint displayed is not clear enough for me (who am not an expert): "The value of the field name will be set to the value of the attribute in the matching element; enter multiple attributes separated by commas".

Thanks in advance,
Emmanuel.

Tags (1)
0 Karma
Reply

LukeMurphey
Champion
‎11-01-2014 12:32 AM

Short answer: you can usually leave it empty.

Long answer: you can set this in order to assign the field names (that are provided to Splunk) based on content within the web-page you are matching.

For example, consider the following HTML:

<div id="model">Focus</div>
<div name="submodel">ST</div>
<div name="make" id="car">Ford</div>

Assuming you have the CSS selector set such that it matches all "div" tags, you would get the following output:

match=Focus match=ST match=Ford

The matches do not distinguish which div tag was set (cannot tell which field is the model, submodel or make). If the setting of the name attributes is "name", then the app would look for the "name" attribute and use that as the name. This results in:

match=Focus submodel=ST make=Ford

You can use multiple names too. In the example above, it makes sense to use "id" too. This can be done by setting the name attributes to "name,id", This would cause the following output with the example above:

model=Focus submodel=ST make=Ford

Now, the fields have names that distinguish what they are. Note that it uses the first match it finds. That means it will look for "name" first and then "id" when the setting is "name,id".

Helpful hint: A good way to test this is to use the "Preview results" link on the web-pages input page to test run your input and see what the output would look like.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...