Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract multi-valued fields from XML?

tamakg
Path Finder
‎08-24-2018 12:31 PM

I have a XML file with multi values on a specific tag (below).

alt text

I need to extract the attributes (NAME and CLASSORIGIN) and the VALUE , ignoring the rows without the tag VALUE.

I loaded the file as a XML and I was able to convert this to a multi-line result but now I need to extract the fields. Any ideas?

alt text

Preview file
230 KB
Preview file
282 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tamakg
Path Finder
‎08-24-2018 01:39 PM

Solved it.

index=msperf sourcetype="perfmon_processor_xml"
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY"
| where Architecture != "Null"
| table Architecture
| mvexpand Architecture
| rex field=Architecture "^[^=\n]=\"(?P\w+)[^=\n]=\"(?P[^\"]+)[^<\n]*<\w+>(?P\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tamakg
Path Finder
‎08-24-2018 01:39 PM

Solved it.

index=msperf sourcetype="perfmon_processor_xml"
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY"
| where Architecture != "Null"
| table Architecture
| mvexpand Architecture
| rex field=Architecture "^[^=\n]=\"(?P\w+)[^=\n]=\"(?P[^\"]+)[^<\n]*<\w+>(?P\w+)"

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-24-2018 12:37 PM

Did you try using spath. Append |spath at the end of your search and see if it works for you.

0 Karma
Reply
Solved! Jump to solution

tamakg
Path Finder
‎08-24-2018 12:45 PM

Yes, I did for some reason the fields could not be extracted.

appending only | spath doesn't show me nothing different. When I try
index=msperf sourcetype="perfmon_processor_xml"
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY"
| mvexpand Architecture
| table Architecture
| where Architecture != "Null"
| spath
| rename PROPERTY.VALUE as Value
| rename PROPERTY.{@NAME} as Name
| table Name Value

the search results nothing. Maybe I'm missing something on the rename command.

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-24-2018 12:48 PM

Give it a shot index=msperf sourcetype="perfmon_processor_xml" |spath

0 Karma
Reply
Solved! Jump to solution

tamakg
Path Finder
‎08-24-2018 12:54 PM

index=msperf sourcetype="perfmon_processor_xml"
| spath
| rename COMMAND.RESULTS.CIM.INSTANCE.PROPERTY.VALUE as Value
| rename COMMAND.RESULTS.CIM.INSTANCE.PROPERTY{@NAME} as Name
| table Name Value

Returned a single row with 2 multi-line fields, but the problem is: some rows doesn't have the VALUE tag and the columns have a different number of values.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...