Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can be xpath command used for field extraction in props.conf or transforms.conf?

lukasmecir
Path Finder
‎06-09-2021 09:34 AM

Hello,

I have question about xpath command. I have XML log like this:

<PropertyGroup>
		<Property>
			<Name>Application</Name>
			<Value>eSpis</Value>
		</Property>
		<PropertyComplex>
			<Name>Permissions</Name>
			<PropertyGroup>
				<Property>
					<Name>Operation</Name>
					<Value>Add</Value>
				</Property>
				<Property>
					<Name>OrgUnitId</Name>
					<Value>50000978</Value>
				</Property>
			</PropertyGroup>
		</PropertyComplex>
	</PropertyGroup>

 There are no unique element names, <Name> and <Value> still repeating. 

I would like to extract fields based on <Name> and <Value> elements, like this:

Application=eSpis

Permissions.Operation = Add

Permission.OrgUnitId = 50000978

I konow how to do it in SPL by xpath command, but my question is: is there any way how to do it in search time field extraction using xpath in props or transforms config files? Thanks for help.

Best regards

Lukas Mecir

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 05:29 PM

Hi @lukasmecir 

There is no xpath style config that you can use inside props.conf & transforms.conf. However you can try using REGEX in transforms.conf. 

* Without using FORMAT
      * REGEX  = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
    * When using either of the above formats, in a search-time extraction,
      the regular expression attempts to match against the source text,
	  extracting as many fields as can be identified in the source text.

Reference - https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Transformsconf#GLOBAL_SETTINGS

----------

An upvote would be appreciated if it helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-09-2021 05:29 PM

Hi @lukasmecir 

There is no xpath style config that you can use inside props.conf & transforms.conf. However you can try using REGEX in transforms.conf. 

* Without using FORMAT
      * REGEX  = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+)
    * When using either of the above formats, in a search-time extraction,
      the regular expression attempts to match against the source text,
	  extracting as many fields as can be identified in the source text.

Reference - https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Transformsconf#GLOBAL_SETTINGS

----------

An upvote would be appreciated if it helps!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...