Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

XML and JSON Data Types

shangshin
Builder
‎04-26-2012 11:39 AM

Hi, I would like to use Splunk to parse xml and json data files and trigger the alert if the element "checked" is false. I would appreciate if you can provide an example on how to set up the field extractors for these 2 data type. Thank You!

[{
"text": "Products",
"cls": "folder",
"expanded": true,
"children": [{
"text": "iPad",
"leaf": true,
"checked": true 

},{
    "text": "iPhone",
    "leaf": true,
    "checked": false       
},{
    "text": "iPod",
    "leaf": true,
    "checked": true      
}
]

}]

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎04-26-2012 11:41 AM

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎04-26-2012 11:41 AM

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

Reply
Solved! Jump to solution

shangshin
Builder
‎05-01-2012 12:29 PM

Thanks a lot for the great support!

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-01-2012 08:06 AM

I don't have a web server to put up a screenshot, and you can't just paste them in here as far as i can tell. Email me and I can send it to you.

Reply
Solved! Jump to solution

shangshin
Builder
‎05-01-2012 07:06 AM

Hi, thanks for the reply.
I entered the search string below but didn't find the result as a new field "myloc". I also clicked on the link "View all 14 fields" but still no luck.
sourcetype="sample_xml" | spath output=myloc path=vendorproductset.product.desc.locdesc{1}{@locale}

Can you upload a screenshot if possible?

Basically, we would like to use splunk to monitor a dynamic xml file and trigger the alert if the element value matches.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎04-30-2012 03:54 PM

Hey shangshin...sorry for the delay. I didn't realize you were working on the test xml data. If you add an output, it will add your result as a new field. You'll see the field added in the bottom left under field discovery. That's the value you can now use. The whole event comes back since you matched it in your search. Now you can | to a new command with the ability to use your extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

Reply
Solved! Jump to solution

shangshin
Builder
‎04-26-2012 01:26 PM

I am following the example to add the sample xml "vendorProductSet" as the new search data.
However, when I entered the string string
sourcetype="sample_xml" | spath path=vendorProductSet.product.desc.locDesc{4}{@locale}
I didn't not see it extracts the attribute of the 4th locDesc (ca)
Instead, I got the whole xml returned from search result.

Am I missing anything?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...