Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can be xpath command used for field extraction in props.conf or transforms.conf?

lukasmecir
Path Finder
‎06-09-2021 09:34 AM

Hello,

I have question about xpath command. I have XML log like this:

<PropertyGroup>
		<Property>
			<Name>Application</Name>
			<Value>eSpis</Value>
		</Property>
		<PropertyComplex>
			<Name>Permissions</Name>
			<PropertyGroup>
				<Property>
					<Name>Operation</Name>
					<Value>Add</Value>
				</Property>
				<Property>
					<Name>OrgUnitId</Name>
					<Value>50000978</Value>
				</Property>
			</PropertyGroup>
		</PropertyComplex>
	</PropertyGroup>

 There are no unique element names, <Name> and <Value> still repeating. 

I would like to extract fields based on <Name> and <Value> elements, like this:

Application=eSpis

Permissions.Operation = Add

Permission.OrgUnitId = 50000978

I konow how to do it in SPL by xpath command, but my question is: is there any way how to do it in search time field extraction using xpath in props or transforms config files? Thanks for help.

Best regards

Lukas Mecir

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 05:29 PM

Hi @lukasmecir 

There is no xpath style config that you can use inside props.conf & transforms.conf. However you can try using REGEX in transforms.conf. 

* Without using FORMAT
      * REGEX  = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
    * When using either of the above formats, in a search-time extraction,
      the regular expression attempts to match against the source text,
	  extracting as many fields as can be identified in the source text.

Reference - https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Transformsconf#GLOBAL_SETTINGS

----------

An upvote would be appreciated if it helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 05:29 PM

Hi @lukasmecir 

There is no xpath style config that you can use inside props.conf & transforms.conf. However you can try using REGEX in transforms.conf. 

* Without using FORMAT
      * REGEX  = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
    * When using either of the above formats, in a search-time extraction,
      the regular expression attempts to match against the source text,
	  extracting as many fields as can be identified in the source text.

Reference - https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Transformsconf#GLOBAL_SETTINGS

----------

An upvote would be appreciated if it helps!

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...