how extract fields from XML maintaining alignment ...

marcoemme41 · ‎03-15-2019

I have an XML with some tags repetead and other tags not repeated. I need extract all fields from this XML maintaining corrispondence between all tags.

I can explain using the example reported in Splunk docs for spath command (https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Spath):

This is my XML and the query to extract fields:

The output of this query is:

This is wrong because "Clarke" is associated to "A Clash of Kings" instead to "Jonathan Strange".
What I need, instead, is Martin repeated in the first and second lines of Author column, and Clarke written in third line.

Someone can help me?

niketnilay · ‎03-17-2019

@marcoemme41, ideally if you are interested in <book> being the root node of individual events and not <purchases> you should try to index only <book> node and discard <publisher> node by pushing to null queue:
props.conf

BREAK_ONLY_BEFORE=\<book\>
MUST_BREAK_AFTER=\<\/book\>
KV_MODE=xml
TRANSFORMS-nullQueueDiscardPurchases=nullQueueDiscardPurchases

transforms.conf

[nullQueueDiscardPurchases]
REGEX = purchases
DEST_KEY = queue
FORMAT = nullQueue

However, as per your question following is searchtime. Consider this only as workaround, since, ideal way would to ingest the data in proper way as expected.

| makeresults
| eval _raw="
<purchases>
  <book>
    <author>Martin</author>
    <title>A Game of Thrones</title>
    <title>A Clash of Kings</title>
  </book>
  <book>
    <author>Clarke</author>
    <title>Jonathan Strange</title>
  </book>
</purchases>"
| spath input=_raw path=purchases
| eval purchases=replace(purchases,"</book>","</book>|")
| makemv purchases delim="|"
| mvexpand purchases
| rename purchases as _raw
| spath

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

how extract fields from XML maintaining alignment if same tags are repeated?