Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I read XML tags from Splunk?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I read XML tags from Splunk?
rohithshettyge
Engager
01-11-2019
01:04 AM
I have uploaded the below XML data into Splunk Light. Can someone give me a query to get only the value from the tag ? So I can create a dashboard from this result that if MessageID has values, the request reached the destination.
<part name="reqdata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CreateOrderRequest
xmlns=""
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<TransactionHeader>
<Action>CREATE</Action>
<MessageID>1-6348871101_01/07/2019 05:52:27
</MessageID>
<SourceApplication>SRS1</SourceApplication>
<SourceComponent>Submit Order</SourceComponent>
<TargetApplication>XXX</TargetApplication>
<TargetComponent>Submit Order</TargetComponent>
</TransactionHeader>
</CreateOrderRequest>
</part>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-11-2019
01:26 AM
Hi,
spath would definitely work but that would also create unnecessary fields if you are just interested in MessageID then you can try this:
index=<your_index> | rex field=_raw "\<MessageID\>(?<MessageID>[^\<]+)" | search MessageID=*
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
01-11-2019
01:20 AM
Hi @rohithshettyge,
You can use spath in your query so your query will be like this
<yourBaseQuery> | spath
Here is run anywhere search
| makeresults
| eval _raw="<part name=\"reqdata\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<CreateOrderRequest
xmlns=\"\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<TransactionHeader>
<Action>CREATE</Action>
<MessageID>1-6348871101_01/07/2019 05:52:27
</MessageID>
<SourceApplication>SRS1</SourceApplication>
<SourceComponent>Submit Order</SourceComponent>
<TargetApplication>XXX</TargetApplication>
<TargetComponent>Submit Order</TargetComponent>
</TransactionHeader>
</CreateOrderRequest>
</part>"
| spath
Get Updates on the Splunk Community!
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
New Release | Splunk Cloud Platform 10.1.2507
Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
🗣 You Spoke, We Listened
Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.
In ...
