Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to extract xml tag fileds

mintucs
New Member
‎05-27-2018 11:28 PM

after iindesing the xml tags i am getting the as show below
i am getting trouble how extract the data from it

  <IDX_BASE>B1102</IDX_BASE>
  <NOM_BASE>LANDES DE COUESME</NOM_BASE>
  <IDX_EQUIPEMENT>501</IDX_EQUIPEMENT>
  <NOM_EQUIPEMENT>E3</NOM_EQUIPEMENT>
  <DH_CONTROLE>2/6/2018 16:6:4</DH_CONTROLE>
  <ETAT_ALARME>ALM</ETAT_ALARME>
  <AVIS_EXPERT>ACCEPTABLE</AVIS_EXPERT>
  <RESUME_DIAG>MB: chocs \xE9pisodiques</RESUME_DIAG>
  <DETAILS_DIAG>
Tags (1)
0 Karma
Reply

TISKAR
Builder
‎05-28-2018 01:45 AM

Hello can you try this please:

in the props.conf 

[xml2]
DATETIME_CONFIG = 
NO_BINARY_CHECK = 1
category = Structured
pulldown_type = 1
SHOULD_LINEMERGE = true
REPORT-xmlkv = xml_trans2
disabled = false

in your transforms.conf add :

[xml_trans2]
REGEX=<([^>]+)>([^<]+)<\/\1>
FORMAT=$1::$2
MV_ADD = true
0 Karma
Reply

niketn
Legend
‎05-28-2018 01:38 AM

@mintucs, your XML Data schema seems incorrect. There should be a root node under which above xml child nodes should be present. If you have xml data in raw events, you can enable KV_MODE=xml in props.conf to have Splunk automatically extract the fields from XML data during search time field discovery.

On similar lines please try the following run anywhere example where | makeresults and | eval _raw pipes generate dummy data as per the question. (PS: I have added <SOMENODE> as root node for the xml to become a valid xml so that spath can work):

| makeresults 
| eval _raw="<SOMENODE>
   <IDX_BASE>B1102</IDX_BASE>
   <NOM_BASE>LANDES DE COUESME</NOM_BASE>
   <IDX_EQUIPEMENT>501</IDX_EQUIPEMENT>
   <NOM_EQUIPEMENT>E3</NOM_EQUIPEMENT>
   <DH_CONTROLE>2/6/2018 16:6:4</DH_CONTROLE>
   <ETAT_ALARME>ALM</ETAT_ALARME>
   <AVIS_EXPERT>ACCEPTABLE</AVIS_EXPERT>
   <RESUME_DIAG>MB: chocs \xE9pisodiques</RESUME_DIAG>
   </SOMENODE>" 
| spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...