I have a splunk log entry that contains XML. I need to extract all the unique values for Customer City, and show them, such as what I would do in Unix with sort|uniq.
Is this possible in splunk?
<request>
<CustomerName>Smith</CustomerName>
<CustomerAddress>111 Elm Street</CustomerAddress>
<CustomerCity>Allentown</CustomerCity>
</request>
Try this:
| stats count | eval xml = "<request><CustomerName>Smith</CustomerName><CustomerAddress>111 Elm Street</CustomerAddress><CustomerCity>Allentown</CustomerCity></request>,<request><CustomerName>Smith</CustomerName><CustomerAddress>111 Elm Street</CustomerAddress><CustomerCity>Allentown</CustomerCity></request>,<request><CustomerName>Smith</CustomerName><CustomerAddress>111 Elm Street</CustomerAddress><CustomerCity>Not Allentown</CustomerCity></request>" | makemv xml delim="," | mvexpand xml | rename xml as _raw
| spath | dedup request.CustomerCity | table request.CustomerCity
The first block just sets up dummy data, the meat is the last three commands. spath
grabs the fields from your XML, dedup
does the sort|uniq
part, table
picks out just that column to show.
Try this:
| stats count | eval xml = "<request><CustomerName>Smith</CustomerName><CustomerAddress>111 Elm Street</CustomerAddress><CustomerCity>Allentown</CustomerCity></request>,<request><CustomerName>Smith</CustomerName><CustomerAddress>111 Elm Street</CustomerAddress><CustomerCity>Allentown</CustomerCity></request>,<request><CustomerName>Smith</CustomerName><CustomerAddress>111 Elm Street</CustomerAddress><CustomerCity>Not Allentown</CustomerCity></request>" | makemv xml delim="," | mvexpand xml | rename xml as _raw
| spath | dedup request.CustomerCity | table request.CustomerCity
The first block just sets up dummy data, the meat is the last three commands. spath
grabs the fields from your XML, dedup
does the sort|uniq
part, table
picks out just that column to show.