Solved: extract xml field

SplunkCSIT · ‎04-02-2014

i'm new to xml, need help on the following: I got alot of catalogs and some catalog got more books and some got less books. Below is the example of one of the catalog. For this catalog, i got two books and each book have its own key=value that belong to its book. What would be the best approach to extract the key-values pair for each book for each catalog.
thks

<?xml version="1.0"?>

   <catalog>

    <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
     </book>

    <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
     </book>


  </catalog>

MuS · ‎04-02-2014

Hi,

take a look at the spath command, this will take care of XML/JSON data and extract the key=value for you.

cheers, MuS

View solution in original post

to4kawa · ‎12-07-2019

| makeresults 
| eval _raw="<?xml version=\"1.0\">

    <catalog>

     <book id=\"bk101\">
       <author>Gambardella, Matthew</author>
       <title>XML Developer's Guide</title>
       <genre>Computer</genre>
       <price>44.95</price>
       <publish_date>2000-10-01</publish_date>
       <description>An in-depth look at creating applications 
       with XML.</description>
      </book>

     <book id=\"bk101\">
       <author>Gambardella, Matthew</author>
       <title>XML Developer's Guide</title>
       <genre>Computer</genre>
       <price>44.95</price>
       <publish_date>2000-10-01</publish_date>
       <description>An in-depth look at creating applications 
       with XML.</description>
      </book>


   </catalog>"
| spath
| rename catalog.book.* as *
| rename "catalog.book{@id}" as id
| eval counter=mvrange(1,mvcount(id) + 1)
| stats values(*) as * by counter
| table id author title genre price publish_date description

In this case, you can expand with this query.

MuS · ‎04-02-2014

Hi,

take a look at the spath command, this will take care of XML/JSON data and extract the key=value for you.

cheers, MuS

MuS · ‎04-02-2014

this is search related and therefore it goes into props.conf on the indexer, see http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F for more detailed informations

SplunkCSIT · ‎04-02-2014

KV_MODE=xml for your source/sourcetype in props.conf is to be configure at forwarder end or indexer end? thks

MuS · ‎04-02-2014

YourBaseSearchHere | chart values(Title) as Title by author

and please tick the tick to mark this as answered, you can also upvote it 😉

SplunkCSIT · ‎04-02-2014

thks a lot, how to create the table such to show unique author if the the author had more than 1 title? thks

author Title
Gambardella, Matthew XML Developer's Guide
XML Developer's Guide1

MuS · ‎04-02-2014

or you set the KV_MODE=xml for your source/sourcetype in props.conf http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Propsconf

extract xml field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation