Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you extract fields from an XML file?

varmamkm
New Member
‎11-19-2018 03:53 AM

sample data

<MAINNODE>
     <NODE1 ID="C1" DATE="2018-11-16 09:20:01">
        <NODE2>
            <NODE3 CODE="A1" AMOUNT="100"/>
            <NODE3 CODE="A2" AMOUNT="200"/>
            <NODE3 CODE="A3" AMOUNT="300"/>
        </NODE2>
    </NODE1>
    <NODE1 ID="C2" DATE="2018-11-16 09:20:01">
        <NODE2>
            <NODE3 CODE="A2" AMOUNT="100"/>
            <NODE3 CODE="A1" AMOUNT="200"/>
        </NODE2>
    </NODE1>
 </MAINNODE>

Can you please help me out to build a regular expression or any other method (ex: xpath) to get the rows as mentioned below.

ID="C1", DATE="2018-11-16 09:20:01", CODE="A1", AMOUNT="100"
ID="C1", DATE="2018-11-16 09:20:01", CODE="A2", AMOUNT="200"
ID="C1", DATE="2018-11-16 09:20:01", CODE="A3", AMOUNT="300"
ID="C2", DATE="2018-11-16 09:20:01", CODE="A2", AMOUNT="100"
ID="C2", DATE="2018-11-16 09:20:01", CODE="A1", AMOUNT="200"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

akocak
Contributor
‎11-19-2018 09:27 AM

You can obviously do all sort of things during index-time. However, if search time, this app probably has everything you need:

https://splunkbase.splunk.com/app/455/

if you had this app, your search would look like
index="xmlfile" | xmlkv

if you need nested xml to be extracted,
index="xmlfile" |xmlkvrecursive

as mentioned, spath or rex would work on this task too.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

akocak
Contributor
‎11-19-2018 09:27 AM

You can obviously do all sort of things during index-time. However, if search time, this app probably has everything you need:

https://splunkbase.splunk.com/app/455/

if you had this app, your search would look like
index="xmlfile" | xmlkv

if you need nested xml to be extracted,
index="xmlfile" |xmlkvrecursive

as mentioned, spath or rex would work on this task too.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2018 05:44 AM

Why does it have to be a regular expression? Have you considered the xpath command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

varmamkm
New Member
‎11-19-2018 07:27 AM

Thanks! i have solved this by using spath.. can you please validate the query below

index="xmlfile" | spath output=NODE3CODE path=NODE1.NODE2.NODE3{@CODE} | spath output=NODE3AMOUNT path=NODE1.NODE2.NODE3{@AMOUNT} | eval x=mvzip(NODE3CODE, NODE3AMOUNT) | mvexpand x | eval x = split(x,",") | eval NODE3CODE=mvindex(x,0) | eval NODE3AMOUNT=mvindex(x,1) | table DATE ID NODE3CODE NODE3AMOUNT

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...