Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract key value pair from xml

KarunK
Contributor
‎11-06-2013 08:08 PM

Hi All,

I have an interesting problem. I have an xml which has a certain number of key value pairs which I need to extract it.

<record>
    <from>customerservice</from>
    <customer>Dan</customer>
    <heading>Reminder</heading>
    <body>Payment Overdue.Amount=176.Discount=16.Pay=160</body>
</record>

I need to extract the following key value pairs
Amount=176.Amount=16.Pay=160

And turn them into a following table

customer | Amount | Amount | Pay
------------------------------
Dan      | 176    | 16     | 160

How can I do it ?

Appreciate your help.

Thanks

kk

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-07-2013 12:14 AM

You can use:

... | extract pairdelim="." kvdelim="="
0 Karma
Reply

KarunK
Contributor
‎11-07-2013 03:20 AM

Hi,

I have tried that too..Didn't work. It may be because, the data source is xml. Just guessing...

thx mate ..

kkn

0 Karma
Reply

ShaneNewman
Motivator
‎11-06-2013 08:14 PM

You can use xmllv

xmlkv link

If that doesn't work for you, | rex field=_raw "Amount\=(?<amount>\d+)\.Discount\=(?<discount>\d+)\.Pay\=(?<pay>\d+)"

0 Karma
Reply

ShaneNewman
Motivator
‎11-11-2013 04:19 PM

I don't know of anything to help you, other than what @gkanapathy suggested. You can always setup what he suggested in your props.conf and transforms.conf. This should automatically extract any values that are preceded by an "=" sign as a value of the field before the "=" sign for the sourcetype you specify.

0 Karma
Reply

KarunK
Contributor
‎11-06-2013 09:33 PM

Hi Shane,
Thanks for the quick response. I am already doing xmlkv and extracting the XML values for me.

Eg:

body=Payment Overdue.Amount=176.Discount=16.Pay=160

I can see rex command will be usefull. But i am looking for a generic rule which will extract every thing in "body" automatically.

Regards

kkn

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...