Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract key value pair from xml

KarunK
Contributor
‎11-06-2013 08:08 PM

Hi All,

I have an interesting problem. I have an xml which has a certain number of key value pairs which I need to extract it.

<record>
    <from>customerservice</from>
    <customer>Dan</customer>
    <heading>Reminder</heading>
    <body>Payment Overdue.Amount=176.Discount=16.Pay=160</body>
</record>

I need to extract the following key value pairs
Amount=176.Amount=16.Pay=160

And turn them into a following table

customer | Amount | Amount | Pay
------------------------------
Dan      | 176    | 16     | 160

How can I do it ?

Appreciate your help.

Thanks

kk

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-07-2013 12:14 AM

You can use:

... | extract pairdelim="." kvdelim="="
0 Karma
Reply

KarunK
Contributor
‎11-07-2013 03:20 AM

Hi,

I have tried that too..Didn't work. It may be because, the data source is xml. Just guessing...

thx mate ..

kkn

0 Karma
Reply

ShaneNewman
Motivator
‎11-06-2013 08:14 PM

You can use xmllv

xmlkv link

If that doesn't work for you, | rex field=_raw "Amount\=(?<amount>\d+)\.Discount\=(?<discount>\d+)\.Pay\=(?<pay>\d+)"

0 Karma
Reply

ShaneNewman
Motivator
‎11-11-2013 04:19 PM

I don't know of anything to help you, other than what @gkanapathy suggested. You can always setup what he suggested in your props.conf and transforms.conf. This should automatically extract any values that are preceded by an "=" sign as a value of the field before the "=" sign for the sourcetype you specify.

0 Karma
Reply

KarunK
Contributor
‎11-06-2013 09:33 PM

Hi Shane,
Thanks for the quick response. I am already doing xmlkv and extracting the XML values for me.

Eg:

body=Payment Overdue.Amount=176.Discount=16.Pay=160

I can see rex command will be usefull. But i am looking for a generic rule which will extract every thing in "body" automatically.

Regards

kkn

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...