Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to extract xml tag fileds

mintucs
New Member
‎05-27-2018 11:28 PM

after iindesing the xml tags i am getting the as show below
i am getting trouble how extract the data from it

  <IDX_BASE>B1102</IDX_BASE>
  <NOM_BASE>LANDES DE COUESME</NOM_BASE>
  <IDX_EQUIPEMENT>501</IDX_EQUIPEMENT>
  <NOM_EQUIPEMENT>E3</NOM_EQUIPEMENT>
  <DH_CONTROLE>2/6/2018 16:6:4</DH_CONTROLE>
  <ETAT_ALARME>ALM</ETAT_ALARME>
  <AVIS_EXPERT>ACCEPTABLE</AVIS_EXPERT>
  <RESUME_DIAG>MB: chocs \xE9pisodiques</RESUME_DIAG>
  <DETAILS_DIAG>
Tags (1)
0 Karma
Reply

TISKAR
Builder
‎05-28-2018 01:45 AM

Hello can you try this please:

in the props.conf 

[xml2]
DATETIME_CONFIG = 
NO_BINARY_CHECK = 1
category = Structured
pulldown_type = 1
SHOULD_LINEMERGE = true
REPORT-xmlkv = xml_trans2
disabled = false

in your transforms.conf add :

[xml_trans2]
REGEX=<([^>]+)>([^<]+)<\/\1>
FORMAT=$1::$2
MV_ADD = true
0 Karma
Reply

niketn
Legend
‎05-28-2018 01:38 AM

@mintucs, your XML Data schema seems incorrect. There should be a root node under which above xml child nodes should be present. If you have xml data in raw events, you can enable KV_MODE=xml in props.conf to have Splunk automatically extract the fields from XML data during search time field discovery.

On similar lines please try the following run anywhere example where | makeresults and | eval _raw pipes generate dummy data as per the question. (PS: I have added <SOMENODE> as root node for the xml to become a valid xml so that spath can work):

| makeresults 
| eval _raw="<SOMENODE>
   <IDX_BASE>B1102</IDX_BASE>
   <NOM_BASE>LANDES DE COUESME</NOM_BASE>
   <IDX_EQUIPEMENT>501</IDX_EQUIPEMENT>
   <NOM_EQUIPEMENT>E3</NOM_EQUIPEMENT>
   <DH_CONTROLE>2/6/2018 16:6:4</DH_CONTROLE>
   <ETAT_ALARME>ALM</ETAT_ALARME>
   <AVIS_EXPERT>ACCEPTABLE</AVIS_EXPERT>
   <RESUME_DIAG>MB: chocs \xE9pisodiques</RESUME_DIAG>
   </SOMENODE>" 
| spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...