Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Processing multivalue CDATA escaped XML
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to have a table of items, but getting this to work is not working out for me. I think because the raw event is slightly hard for me to process. This is a shortened version of my raw event:
EDIT: please note that the "& lt;" and "& gt;" markings below are actually without the space, but otherwise the forum would convert them.
[03/29/2017 15:39:00.115 CEST] BLABLA [nl.morenonsense]
<send exit="sendCoolMessage">
<message>
<![CDATA[& lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?& gt;
& lt;SendCoolMsg xmlns="http://www.website.com"& gt;
& lt;CoolAMsg& gt;
& lt;?xml version="1.0" encoding="UTF-8"?& gt;
& lt;Items& gt;
& lt;Item1& gt;
& lt;information& gt;numbers and stuff& lt;/information& gt;
& lt;coolthings& gt;strings& lt;/coolthings& gt;
& lt;/Item1& gt;
& lt;Item2& gt;
& lt;information& gt;numbers2 and stuff2& lt;/information& gt;
& lt;coolthings& gt;strings2& lt;/coolthings& gt;
& lt;/Item2& gt;
& lt;/Items& gt;
& lt;/CoolAmsg& gt;
& lt;/SendCoolMsg& gt;
]]>
</message>
</send>
I'd like to end up with a table like this:
information coolthings
item1
item2
I can access the fields (like information) using xmlkv but I haven't been able to get spath to find anything. I have tried using rex to first isolate the inner xml but it seems to only give back results if there is just a string and not any tag for some reason.
search | xmlkv | table _time, information will only give me the information of the first item, I need it to do something multivalued.
search | rex field=_raw "<informatie>(?<Inf>.*)</informatie>" max_match=0 | mvexpand Inf | table _time, Inf now we have the expanded multivaluedness. But the next step is to use the information in coolthings to filter. If it is strings2 the information shouldn't show up. And I don't know how to get there if I can't use the XML structure. Also the event usually has over 15000 characters (sometimes over 30000), if that is a limit somewhere.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the end we solved it by exporting all these events and processing them locally with scripts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the end we solved it by exporting all these events and processing them locally with scripts.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
