Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

XML and JSON Data Types

shangshin
Builder
‎04-26-2012 11:39 AM

Hi, I would like to use Splunk to parse xml and json data files and trigger the alert if the element "checked" is false. I would appreciate if you can provide an example on how to set up the field extractors for these 2 data type. Thank You!

[{
"text": "Products",
"cls": "folder",
"expanded": true,
"children": [{
"text": "iPad",
"leaf": true,
"checked": true 

},{
    "text": "iPhone",
    "leaf": true,
    "checked": false       
},{
    "text": "iPod",
    "leaf": true,
    "checked": true      
}
]

}]

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎04-26-2012 11:41 AM

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎04-26-2012 11:41 AM

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

Reply
Solved! Jump to solution

shangshin
Builder
‎05-01-2012 12:29 PM

Thanks a lot for the great support!

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-01-2012 08:06 AM

I don't have a web server to put up a screenshot, and you can't just paste them in here as far as i can tell. Email me and I can send it to you.

Reply
Solved! Jump to solution

shangshin
Builder
‎05-01-2012 07:06 AM

Hi, thanks for the reply.
I entered the search string below but didn't find the result as a new field "myloc". I also clicked on the link "View all 14 fields" but still no luck.
sourcetype="sample_xml" | spath output=myloc path=vendorproductset.product.desc.locdesc{1}{@locale}

Can you upload a screenshot if possible?

Basically, we would like to use splunk to monitor a dynamic xml file and trigger the alert if the element value matches.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎04-30-2012 03:54 PM

Hey shangshin...sorry for the delay. I didn't realize you were working on the test xml data. If you add an output, it will add your result as a new field. You'll see the field added in the bottom left under field discovery. That's the value you can now use. The whole event comes back since you matched it in your search. Now you can | to a new command with the ability to use your extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

Reply
Solved! Jump to solution

shangshin
Builder
‎04-26-2012 01:26 PM

I am following the example to add the sample xml "vendorProductSet" as the new search data.
However, when I entered the string string
sourcetype="sample_xml" | spath path=vendorProductSet.product.desc.locDesc{4}{@locale}
I didn't not see it extracts the attribute of the 4th locDesc (ca)
Instead, I got the whole xml returned from search result.

Am I missing anything?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top