Solved: Re: how to exctract fields from nested named XML e...

swe · ‎05-12-2017

hi there,
i have xml files which are indexed with KV_MODE=xml. i want to stats on the values on datagroup name="mem-used-percent"

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<myobjects-sensor-data ms-duration="3244">
    <ident>0820958kjshf8</ident>
    <timeTimeDate>2017-04-30 23:55:15</timeTimeDate>
    <csp>true</csp>
    <sensors>
        <sensor name="mem-data" status="INFO" duration-ms="2">
            <sensorData>
                <datagroup name="mem-used-percent">
                    <probe>
                        <key>value</key>
                        <value>25.4</value>
                    </probe>
                </datagroup>
            </sensorData>
        </sensor>
        <sensor name="anotherone" status="INFO" duration-ms="2">
            <sensorData>
........
            </sensorData>
        </sensor>
    </sensors>
</myobjects-sensor-data>

the sensor data gets recognized in preview for example:
myobjects-sensor-data.sensors.sensor.sensorData.datagroup.probe.value = 25.4

but as there are multiple *probe.value i dont know how to exactly adress this value by the name of the "datagroup".

...| spath output=memdaten path="myobjects-sensor-data.sensors.sensor{@name="mem-data"}.datagroup{@name="mem-used-percent"}.probe.value"

wont work.

what am i doing wrong?

thanks
swe

swe · ‎05-19-2017

hi there,

one possible solution is a combination of KV_MODE=xml, rex and mvzip. for example:

eval sensorstatuses=mvzip('myobject-sensor-data.sensors.sensor{@name}','myobject-sensor-data.sensors.sensor{@status}') 
| rex "<key>gps-latitude<\/key>\s*<value>(?<gps_latitude>.*)<\/value>"

its not nice, but works for now until someone comes up with a better solution
thanks
swe

View solution in original post

swe · ‎05-19-2017

hi there,

one possible solution is a combination of KV_MODE=xml, rex and mvzip. for example:

eval sensorstatuses=mvzip('myobject-sensor-data.sensors.sensor{@name}','myobject-sensor-data.sensors.sensor{@status}') 
| rex "<key>gps-latitude<\/key>\s*<value>(?<gps_latitude>.*)<\/value>"

its not nice, but works for now until someone comes up with a better solution
thanks
swe

swe · ‎05-18-2017

HI,

shouldnt it be possible with xpath? i tried but this did not work. any suggestions?

xpath "//myobject-sensor-data/sensors/sensor[@name='mem-data']/datagroup[@name='mem-used-percent']/probe/value" outfield=myfield

niketn · ‎05-12-2017

Instead of name it will be based on number if you are using spath

| spath output=memdaten path="myobjects-sensor-data.sensors.sensor{1}.datagroup.probe.value"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#6:_Extract_a_subset_of_a_XM...

If you have already defined KV_MODE=xml in your sourcetype, you can table all the required field names as separate columns and then perform search/filter

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

swe · ‎05-18-2017

thanks, adressing with a number works but if the structure changes this would not be realy reliable. so i wonder if there is a better solution.

if using table i get a massive ammount of multivalue fields, in which i cant identifiy to which keys the values belong..

how to exctract fields from nested named XML elements

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

how to exctract fields from nested named XML elements

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0