Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk XML File multi-Tag parsing

alaaelbahrawy
Explorer
‎12-04-2019 03:40 AM

I have the following XML format file. I triesd to Parse in Splunk to Reach the Below table format. but i faced an issue to make the Zone repetitive in every line.

<PolicyGlobal>
<Zone>ABC</Zone>
<policy>
<PolicyName>A<PolicyName>
<Attribute1>Value</Attribute1>
<Attribute2>Value</Attribute2>
</policy>
<policy>
<PolicyName>B<PolicyName>
<Attribute1>Value</Attribute1>
<Attribute2>Value</Attribute2>
</policy>
</PolicyGlobal>
<PolicyGlobal>
<Zone>DEF</Zone>
<policy>
<PolicyName>C<PolicyName>
<Attribute1>Value</Attribute1>
<Attribute2>Value</Attribute2>
</policy>
<policy>
<PolicyName>D<PolicyName>
<Attribute1>Value</Attribute1>
<Attribute2>Value</Attribute2>
</policy>
</PolicyGlobal>>

PolicyName,Attribute1,Attribute2,Zone
A,Value,Value,ABC
B,Value,Value,ABC
C,Value,Value,DEF
D,Value,Value,DEF

I tried to cut the values with LINE_BREAKER : with "PolicyGlobal" it gets all the all the policies in 1 line. and if i changed the LINE_BREAKER value with Policy it doesn't get the Zone
Can you help?

0 Karma
Reply

arjunpkishore5
Motivator
‎12-07-2019 09:01 PM

can you post the current props.conf please ?

0 Karma
Reply

to4kawa
Ultra Champion
‎12-07-2019 06:09 PM 
| makeresults 
| eval _raw="<PolicyGlobal>
 <Zone>ABC</Zone>
 <policy>
 <PolicyName>A<PolicyName>
 <Attribute1>Value</Attribute1>
 <Attribute2>Value</Attribute2>
 </policy>
 <policy>
 <PolicyName>B<PolicyName>
 <Attribute1>Value</Attribute1>
 <Attribute2>Value</Attribute2>
 </policy>
 </PolicyGlobal>
 <PolicyGlobal>
 <Zone>DEF</Zone>
 <policy>
 <PolicyName>C<PolicyName>
 <Attribute1>Value</Attribute1>
 <Attribute2>Value</Attribute2>
 </policy>
 <policy>
 <PolicyName>D<PolicyName>
 <Attribute1>Value</Attribute1>
 <Attribute2>Value</Attribute2>
 </policy>
 </PolicyGlobal>"
 | makemv delim="
 " _raw
 | stats delim="," list(_raw) as raw
 | nomv raw
 | eval raw=replace(raw,"</PolicyGlobal>,<PolicyGlobal>","</PolicyGlobal>#<PolicyGlobal>")
 | makemv delim="#" raw
 | stats count by raw
 | rex field=raw mode=sed "s/<[\w\/]+>//g"
 | eval raw=trim(raw,",")
 | rex field=raw mode=sed "s/,+/,/g"
 | eval Zone=mvindex(split(raw,","),0), text1=mvindex(split(raw,","),1)." ".mvindex(split(raw,","),2)." ".mvindex(split(raw,","),3)
 , text2=mvindex(split(raw,","),4)." ".mvindex(split(raw,","),5)." ".mvindex(split(raw,","),6)
 | eval tmp=mvappend(text1,text2)
 | mvexpand tmp
 | table Zone tmp
 | eval PolicyName=mvindex(split(tmp," "),0), Attribute1=mvindex(split(tmp," "),1), Attribute2=mvindex(split(tmp," "),2)
 | table Zone PolicyName Attribute*

It ’s too hard to be helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...