Hi there,
I have a CSV file with 2 fields : time,xml_data.
Is there anyway I can parse the xml_data field as XML ?
This is a nested XML inside a CSV field and I would prefer to parse it on index time (if not, parsing on search time is also acceptable).
Thanks
I have a CSV file with 2 fields : time,xml_data
As long as you know the name of the field in the CSV which contains the XML spath will work at seach time
<your search which includes your csv events>| spath xml_data
Hi @moneybox,
You can use spath
for same. Check below search.
|inputlookup mylookup
| eval _raw=XML_DATA_FIELD
| spath output=.. path=..
| table ..
Please check my sample search from below doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Spath
| makeresults
| eval A="<?xml version=\"1.0\">
<purchases>
<book>
<author>Martin, George R.R.</author>
<title yearPublished=1996>A Game of Thrones</title>
<title yearPublished=1998>A Clash of Kings</title>
</book>
<book>
<author>Clarke, Susanna</author>
<title yearPublished=2004>Jonathan Strange and Mr. Norrell</title>
</book>
<book>
<author>Kay, Guy Gavriel</author>
<title yearPublished=1990>Tigana</title>
</book>
<book>
<author>Bujold, Lois McMasters</author>
<title yearPublished=1986>The Warrior's Apprentice</title>
</book>
</purchases>"
| eval _raw=A
| spath output=dates path=purchases.book.title{@yearPublished}
| table dates
Thanks
Thank you, but that works for cases I know what fields should I expect.
Is there anything that could automatically convert the nested XML to searchable fields in Index Time ?
Meaning, I want to extract all fields from the nested XML without knowing them.
Thanks again