All Apps and Add-ons
Highlighted

Parse an XML in splunk events

New Member

I have data coming in to splunk from a SQL Table and one of the columns in the table has a XML. Is there a way we can parse that XML and extract fields in splunk??

The XML is not always the same and keeps changing

0 Karma
Highlighted

Re: Parse an XML in splunk events

Builder

Look into the xpath command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xpath

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Parse an XML in splunk events

New Member

Thanks for your message. I see xmlkv more useful for this scenario where the xml fields are automatically pulled.

0 Karma
Highlighted

Re: Parse an XML in splunk events

New Member

XMLKV command is more useful in this scenario. it automatically pulls all the xml fields and indexes them.

0 Karma
Highlighted

Re: Parse an XML in splunk events

Esteemed Legend

If you can remove the cruft and ensure that the entire raw event is XML, then you can set KV_MODE to xml and it will automatically do dynamic field extraction. Short of that, you can do it manually using xpath:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xpath

0 Karma