Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting attributes from XML Schema

amanno
New Member
‎06-30-2017 03:08 PM

I know there has to be a nice way to do this upon indexing in Splunk...I have a large XML file that I am indexing on the tag info however when each event is index I want some information from higher up the "tree" of the XML to be placed into that event. For a small example in:

 <Baseball>
         <player name="freese" number="23">
             <stats>
                       <info index=0>
                           <Team>Pittsburgh Pirates</Team>
                           <BA>.249</BA>
                       </info>
                       <info index=1>
                          <Team>Cardinals</Team>
                          <BA>.248</BA>
            </stats>
        </player>
         <player name="Pujols" number="5">
             <stats>
                       <info index=0>
                           <Team>LA Angles</Team>
                           <BA>.236</BA>
                       </info>
                       <info index=1>
                          <Team>Cardinals</Team>
                          <BA>.307</BA>
            </stats>
        </player>
    </Baseball>

I would like to have events that have all the information in the info tag as well as the two attributes of player name and number. Any ideas would be greatly appreciated.

Tags (2)
0 Karma
Reply

niketn
Legend
‎07-01-2017 01:47 AM

First off, your sample XML seem to have info end tags missing. You can use spath or xpath command to extract fields from XML. Based on the your needs you can extract individual field or as multi valued fields.

| makeresults 
| eval xml_data="<Baseball>
  <player name=\"freese\" number=\"23\">
      <stats>
        <info index=0>
            <Team>Pittsburgh Pirates</Team>
            <BA>.249</BA>
        </info>
        <info index=1>
           <Team>Cardinals</Team>
           <BA>.248</BA>
        </info>
     </stats>
  </player>
  <player name=\"Pujols\" number=\"5\">
    <stats>
        <info index=0>
            <Team>LA Angles</Team>
            <BA>.236</BA>
        </info>
        <info index=1>
           <Team>Cardinals</Team>
           <BA>.307</BA>
        </info>
    </stats>
  </player>
 </Baseball>"
 | spath input=xml_data path=Baseball.player{1}{@name} output=name
 | spath input=xml_data path=Baseball.player{1}{@number} output=number
 | spath input=xml_data path=Baseball.player{@name} output=names
 | spath input=xml_data path=Baseball.player{@number} output=numbers
 | spath input=xml_data path=Baseball.player.stats.info.Team output=Team
 | spath input=xml_data path=Baseball.player.stats.info.BA output=BA
 | table xml_data name names number numbers Team BA

Refer to Splunk documentation for more details: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...