Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: how to exctract fields from nested named XML e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there,
i have xml files which are indexed with KV_MODE=xml. i want to stats on the values on datagroup name="mem-used-percent"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<myobjects-sensor-data ms-duration="3244">
<ident>0820958kjshf8</ident>
<timeTimeDate>2017-04-30 23:55:15</timeTimeDate>
<csp>true</csp>
<sensors>
<sensor name="mem-data" status="INFO" duration-ms="2">
<sensorData>
<datagroup name="mem-used-percent">
<probe>
<key>value</key>
<value>25.4</value>
</probe>
</datagroup>
</sensorData>
</sensor>
<sensor name="anotherone" status="INFO" duration-ms="2">
<sensorData>
........
</sensorData>
</sensor>
</sensors>
</myobjects-sensor-data>
the sensor data gets recognized in preview for example:
myobjects-sensor-data.sensors.sensor.sensorData.datagroup.probe.value = 25.4
but as there are multiple *probe.value i dont know how to exactly adress this value by the name of the "datagroup".
...| spath output=memdaten path="myobjects-sensor-data.sensors.sensor{@name="mem-data"}.datagroup{@name="mem-used-percent"}.probe.value"
wont work.
what am i doing wrong?
thanks
swe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there,
one possible solution is a combination of KV_MODE=xml, rex and mvzip. for example:
eval sensorstatuses=mvzip('myobject-sensor-data.sensors.sensor{@name}','myobject-sensor-data.sensors.sensor{@status}')
| rex "<key>gps-latitude<\/key>\s*<value>(?<gps_latitude>.*)<\/value>"
its not nice, but works for now until someone comes up with a better solution
thanks
swe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there,
one possible solution is a combination of KV_MODE=xml, rex and mvzip. for example:
eval sensorstatuses=mvzip('myobject-sensor-data.sensors.sensor{@name}','myobject-sensor-data.sensors.sensor{@status}')
| rex "<key>gps-latitude<\/key>\s*<value>(?<gps_latitude>.*)<\/value>"
its not nice, but works for now until someone comes up with a better solution
thanks
swe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
shouldnt it be possible with xpath? i tried but this did not work. any suggestions?
xpath "//myobject-sensor-data/sensors/sensor[@name='mem-data']/datagroup[@name='mem-used-percent']/probe/value" outfield=myfield
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of name it will be based on number if you are using spath
| spath output=memdaten path="myobjects-sensor-data.sensors.sensor{1}.datagroup.probe.value"
If you have already defined KV_MODE=xml in your sourcetype, you can table all the required field names as separate columns and then perform search/filter
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, adressing with a number works but if the structure changes this would not be realy reliable. so i wonder if there is a better solution.
if using table i get a massive ammount of multivalue fields, in which i cant identifiy to which keys the values belong..
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
