Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Is there a way to turn XML attribute/values into S...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paimonsoror
Builder
10-26-2017
09:06 AM
Hi guys;
Tricky problem here. I have XML coming in via REST that contains performance data for an appliance. I have to find a way to take the data and build some nice dashboards off of it. Here is an example of the data:
<attribute id="0x1000a">0</attribute><attribute id="0x129fa">0x10000d</attribute><attribute id="0x13210">0.007082779639308599</attribute><attribute id="0x13212">1.2112084982652817E9</attribute><attribute id="0x11e33">2.0322754560000002E9</attribute><attribute id="0x11e39">1.672179712E10</attribute><attribute id="0x11e3b">0.0</attribute><attribute id="0x11e3d">144.38888205608168</attribute><attribute id="0x11e3f">0.0</attribute><attribute id="0x11e41">67.09483369780527</attribute><attribute id="0x11f91">0</attribute><attribute id="0x11f92">0</attribute><attribute id="0x13218">0.0</attribute><attribute id="0x13219">0.0</attribute><attribute id="0x11e44">10.00077</attribute><attribute id="0x11e4b">39.49695873417747</attribute><attribute id="0x11e4d">74.59425624226935</attribute><attribute id="0x11e4f">1.099915306521398</attribute><attribute id="0x11e51">1.099915306521398</attribute><attribute id="0x11e8d">403.46893289216735</attribute><attribute id="0x11e8f">16160.155668013564</attribute><attribute id="0x11e53">258.38010473193566</attribute><attribute id="0x11e56">0.2799783534467724</attribute><attribute id="0x11e59">39.49695873417747</attribute><attribute id="0x11e5b">74.59425624226935</attribute><attribute id="0x11e75">0.0</attribute><attribute id="0x11e77">0.0</attribute><attribute id="0x11e8c">7.918264320000222E8</attribute>
Sorry for the lack of pretty-print, but i wanted to represent the data as it is in my events. Anyway, I have a lookup table that correlates the attribute id's to human readable values. Is there a way, that I can build some logic that will take each attribute id, grab the human readable value from lookup, and then build a field with its corresponding attribute value?
spath already gives me fields like:
attribute
attribute{@id}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paimonsoror
Builder
10-26-2017
12:25 PM
Ok well im not sure if this is the right answer, but here is what i did to help me get around it.... not sure how efficient it is though:
index=app_smpeng sourcetype=smpeng:spectrum:performance
| head 1
| spath path=model-response-list.model-responses.model output=models
| mvexpand models
| eval _raw = models
| spath
| lookup spectrum_attributes.csv attribute as "attribute{@id}" OUTPUT description as attribute_description
| table attribute*
| fields - attribute-*
| eval temp=mvzip(attribute_description, attribute,"=")
| eval _raw = mvjoin(temp, ",")
I then dump the result into a summary index. Data comes back like so:
Model Name=SSPerformance,Condition=0,Model Handle=0x320000d,ArchMgr CPU Utilization=0.01499869663023355,ArchMgr MEM Proc Size=6.355070972273846E8,OS Mem Avail=3.048480768E9,OS Mem Total=8.254803968E9,OS Net Packet Read Errors=0.0,OS Net Packet Read=6.7992425643783285,OS Net Packet Write Errors=0.0,OS Net Packet Write=4.7994653395611735,OS Pages In=0,OS Pages Out=0,Search CPU Time Elapsed=0.0,Search Memory Used=0.0,Time Delta=10.001114,VNM Attr Bytes Read=2.7996881147440176,VNM Attr Bytes Write=2829.2848176713114,VNM Attr Read Calls=0.6999220286860044,VNM Attr Write Calls=0.09998886124085778,VNM Conn Bytes Recd=2875.379682703347,VNM Conn Bytes Sent=424.95266027364556,VNM Context Switch=8.09909776050948,VNM CPU Utilization=0.09165819895690372,VNM Disk Bytes Read=2.7996881147440176,VNM Disk Bytes Write=2829.2848176713114,VNM ICMP Requests=0.0,VNM ICMP Successes=0.0,VNM Mem Proc Size=6.595788799999496E8,VNM Net Bytes Read=2875.379682703347,VNM Net Bytes Write=424.95266027364556,VNM Notif Latency=0.0,VNM Notif Threads=-8.383655900952226E-15,VNM Poll Latency=1.4281955584776981E-11,VNM Poll Threads=0.06666668888690283,VNM Sigalarm=0.3999554449634311,VNM Sigio=1.0998774736494354,VNM SNMP Get Next Req=0.0,VNM SNMP Incoming Varbind=0.0,VNM SNMP Mult Get Req=0.0,VNM SNMP Nosuchname Resp=0.0,VNM SNMP Outgoing Varbind=0.0,VNM SNMP Readonly Resp=0.0,VNM SNMP Tot Req=0.0,VNM SNMP Tot Resp Bytes=0.0,VNM SNMP Tot Resp=0.0,VNM SNMP Trap Bytes=0.0,VNM SNMP Traps=0.0,VNM Timer Latency=-1.4077246065294874E-14,VNM Timer Threads=0.583333807735437
Which splunk easily parses as K=V pairs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paimonsoror
Builder
10-26-2017
12:25 PM
Ok well im not sure if this is the right answer, but here is what i did to help me get around it.... not sure how efficient it is though:
index=app_smpeng sourcetype=smpeng:spectrum:performance
| head 1
| spath path=model-response-list.model-responses.model output=models
| mvexpand models
| eval _raw = models
| spath
| lookup spectrum_attributes.csv attribute as "attribute{@id}" OUTPUT description as attribute_description
| table attribute*
| fields - attribute-*
| eval temp=mvzip(attribute_description, attribute,"=")
| eval _raw = mvjoin(temp, ",")
I then dump the result into a summary index. Data comes back like so:
Model Name=SSPerformance,Condition=0,Model Handle=0x320000d,ArchMgr CPU Utilization=0.01499869663023355,ArchMgr MEM Proc Size=6.355070972273846E8,OS Mem Avail=3.048480768E9,OS Mem Total=8.254803968E9,OS Net Packet Read Errors=0.0,OS Net Packet Read=6.7992425643783285,OS Net Packet Write Errors=0.0,OS Net Packet Write=4.7994653395611735,OS Pages In=0,OS Pages Out=0,Search CPU Time Elapsed=0.0,Search Memory Used=0.0,Time Delta=10.001114,VNM Attr Bytes Read=2.7996881147440176,VNM Attr Bytes Write=2829.2848176713114,VNM Attr Read Calls=0.6999220286860044,VNM Attr Write Calls=0.09998886124085778,VNM Conn Bytes Recd=2875.379682703347,VNM Conn Bytes Sent=424.95266027364556,VNM Context Switch=8.09909776050948,VNM CPU Utilization=0.09165819895690372,VNM Disk Bytes Read=2.7996881147440176,VNM Disk Bytes Write=2829.2848176713114,VNM ICMP Requests=0.0,VNM ICMP Successes=0.0,VNM Mem Proc Size=6.595788799999496E8,VNM Net Bytes Read=2875.379682703347,VNM Net Bytes Write=424.95266027364556,VNM Notif Latency=0.0,VNM Notif Threads=-8.383655900952226E-15,VNM Poll Latency=1.4281955584776981E-11,VNM Poll Threads=0.06666668888690283,VNM Sigalarm=0.3999554449634311,VNM Sigio=1.0998774736494354,VNM SNMP Get Next Req=0.0,VNM SNMP Incoming Varbind=0.0,VNM SNMP Mult Get Req=0.0,VNM SNMP Nosuchname Resp=0.0,VNM SNMP Outgoing Varbind=0.0,VNM SNMP Readonly Resp=0.0,VNM SNMP Tot Req=0.0,VNM SNMP Tot Resp Bytes=0.0,VNM SNMP Tot Resp=0.0,VNM SNMP Trap Bytes=0.0,VNM SNMP Traps=0.0,VNM Timer Latency=-1.4077246065294874E-14,VNM Timer Threads=0.583333807735437
Which splunk easily parses as K=V pairs.
Get Updates on the Splunk Community!
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Cultivate Your Career Growth with Fresh Splunk Training
Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...
