Dashboards & Visualizations

XML and JSON Data Types

shangshin
Builder

Hi, I would like to use Splunk to parse xml and json data files and trigger the alert if the element "checked" is false. I would appreciate if you can provide an example on how to set up the field extractors for these 2 data type. Thank You!

[{
"text": "Products",
"cls": "folder",
"expanded": true,
"children": [{
"text": "iPad",
"leaf": true,
"checked": true

},{
    "text": "iPhone",
    "leaf": true,
    "checked": false       
},{
    "text": "iPod",
    "leaf": true,
    "checked": true      
}
]

}]

Tags (2)
0 Karma
1 Solution

sdaniels
Splunk Employee
Splunk Employee

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

View solution in original post

sdaniels
Splunk Employee
Splunk Employee

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

shangshin
Builder

Thanks a lot for the great support!

0 Karma

sdaniels
Splunk Employee
Splunk Employee

I don't have a web server to put up a screenshot, and you can't just paste them in here as far as i can tell. Email me and I can send it to you.

shangshin
Builder

Hi, thanks for the reply.
I entered the search string below but didn't find the result as a new field "myloc". I also clicked on the link "View all 14 fields" but still no luck.
sourcetype="sample_xml" | spath output=myloc path=vendorproductset.product.desc.locdesc{1}{@locale}

Can you upload a screenshot if possible?

Basically, we would like to use splunk to monitor a dynamic xml file and trigger the alert if the element value matches.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Hey shangshin...sorry for the delay. I didn't realize you were working on the test xml data. If you add an output, it will add your result as a new field. You'll see the field added in the bottom left under field discovery. That's the value you can now use. The whole event comes back since you matched it in your search. Now you can | to a new command with the ability to use your extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

shangshin
Builder

I am following the example to add the sample xml "vendorProductSet" as the new search data.
However, when I entered the string string
sourcetype="sample_xml" | spath path=vendorProductSet.product.desc.locDesc{4}{@locale}
I didn't not see it extracts the attribute of the 4th locDesc (ca)
Instead, I got the whole xml returned from search result.

Am I missing anything?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...