Solved: may i know if there is any new version of xmlutils...

ahmedhassanean · ‎03-06-2016

may i know if there is any new version of xmlutils app or another app that replace xmlutils

vbumgarner · ‎03-12-2016

Something like this:

| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | xmlsplit field=b | xmlkvrecursive | stats count by b

Could be accomplished like this:

| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | stats count by x.b

Or if you really need the individual bits as rows in a table, you can use the expensive mvexpand...

| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | mvexpand x.b | table x.b x.b{@a}

View solution in original post

ahmedhassanean · ‎03-12-2016

ok many thanks for your support

ahmedhassanean · ‎03-12-2016

mvexpand take So much memory and hard to use in large amount of logs

and regarding second SPL you here just choose count of x.b but i need to split each foo and bar in new event

vbumgarner · ‎03-12-2016

There's no way xmlsplit is going to be more efficient than spath + mvexpand. Calling a python command is always going to be slower than using native commands.

Think about what you're doing with the output. If you're subsequently counting things in a later statement, then you're almost certainly better off using spath, then using stats/chart/timechart to count by the multi-value field created by spath.

xmlsplit is unique in that if you have deeply nested xml blocks that you need to treat as individual events, it might be your best answer. For instance, given

<x><y><b>foo</b></y><y><b>bar</b></y></x>

xmlsplit field=y

Would be difficult to do otherwise. But it's still not super efficient.

Using rex + mvexpand would be more efficient, but wouldn't work if your xml tags aren't unique at each level. Just to illustrate...

index=_internal | head 1000 | eval _raw="<x><y><b a=\"la\">foo</b></y><y><b>bar</b></y></x>" | spath | xmlsplit field=y

This search has completed and has returned 2,000 results by scanning 3,010 events in 3.573 seconds.

vs

index=_internal | head 1000 | eval _raw="<x><y><b a=\"la\">foo</b></y><y><b>bar</b></y></x>" | rex max_match=100 "(?<r><y>.*?</y>)" | mvexpand r | table r

This search has completed and has returned 2,000 results by scanning 2,973 events in 0.48 seconds.

So, that's about 7 times faster using the native commands.

vbumgarner · ‎03-12-2016

Something like this:

| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | xmlsplit field=b | xmlkvrecursive | stats count by b

Could be accomplished like this:

| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | stats count by x.b

Or if you really need the individual bits as rows in a table, you can use the expensive mvexpand...

| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | mvexpand x.b | table x.b x.b{@a}

ahmedhassanean · ‎03-12-2016

there is command in this app that not have corresponding functionality in spath such as xmlsplit

vbumgarner · ‎03-11-2016

xmlutils is something I tossed together years ago. I'm updating it now for a security finding, but not adding any new functionality.

The spath command will do most of what these utils do, and in native code, so it should be much faster.

may i know if there is any new version of xmlutils app

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM