Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract multi-valued fields from XML?

tamakg
Path Finder
‎08-24-2018 12:31 PM

I have a XML file with multi values on a specific tag (below).

alt text

I need to extract the attributes (NAME and CLASSORIGIN) and the VALUE , ignoring the rows without the tag VALUE.

I loaded the file as a XML and I was able to convert this to a multi-line result but now I need to extract the fields. Any ideas?

alt text

Preview file
230 KB
Preview file
282 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tamakg
Path Finder
‎08-24-2018 01:39 PM

Solved it.

index=msperf sourcetype="perfmon_processor_xml"
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY"
| where Architecture != "Null"
| table Architecture
| mvexpand Architecture
| rex field=Architecture "^[^=\n]=\"(?P\w+)[^=\n]=\"(?P[^\"]+)[^<\n]*<\w+>(?P\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tamakg
Path Finder
‎08-24-2018 01:39 PM

Solved it.

index=msperf sourcetype="perfmon_processor_xml"
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY"
| where Architecture != "Null"
| table Architecture
| mvexpand Architecture
| rex field=Architecture "^[^=\n]=\"(?P\w+)[^=\n]=\"(?P[^\"]+)[^<\n]*<\w+>(?P\w+)"

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-24-2018 12:37 PM

Did you try using spath. Append |spath at the end of your search and see if it works for you.

0 Karma
Reply
Solved! Jump to solution

tamakg
Path Finder
‎08-24-2018 12:45 PM

Yes, I did for some reason the fields could not be extracted.

appending only | spath doesn't show me nothing different. When I try
index=msperf sourcetype="perfmon_processor_xml"
| xpath outfield=Architecture "//COMMAND/RESULTS/CIM/INSTANCE/PROPERTY"
| mvexpand Architecture
| table Architecture
| where Architecture != "Null"
| spath
| rename PROPERTY.VALUE as Value
| rename PROPERTY.{@NAME} as Name
| table Name Value

the search results nothing. Maybe I'm missing something on the rename command.

0 Karma
Reply
Solved! Jump to solution

sudosplunk
Motivator
‎08-24-2018 12:48 PM

Give it a shot index=msperf sourcetype="perfmon_processor_xml" |spath

0 Karma
Reply
Solved! Jump to solution

tamakg
Path Finder
‎08-24-2018 12:54 PM

index=msperf sourcetype="perfmon_processor_xml"
| spath
| rename COMMAND.RESULTS.CIM.INSTANCE.PROPERTY.VALUE as Value
| rename COMMAND.RESULTS.CIM.INSTANCE.PROPERTY{@NAME} as Name
| table Name Value

Returned a single row with 2 multi-line fields, but the problem is: some rows doesn't have the VALUE tag and the columns have a different number of values.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...