Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Fetch key/value pair from webservice request?

sachinlohchab
New Member
‎02-15-2018 10:28 AM

Hi I need to fetch key/value pair values from below request.. please help

like for Name key should return Siri
for USER_ROLE return BUS

Request passing as below:

        <entry>
            <key>Name</key>
            <value>Siri</value>
        </entry>
        <entry>
            <key>U_ROLE</key>
            <value>BUS</value>
        </entry>
0 Karma
Reply

niketn
Legend
‎02-17-2018 08:10 PM

@sachinlohchab, based on the sample data provided, try the following run anywhere search. If you have JSON data, KV_MODE=json should be set in props.conf for your sourcetype for automatic search time field extraction. In anycase you can use the commands from | spath onward for your current base search.

| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| spath
| eval data=mvzip('entry.key','entry.value')
| fields - entry.*
| mvexpand data
| eval data=split(data,",")
| eval key=mvindex(data,0), value=mvindex(data,1)
| fields - data _raw _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

micahkemp
Champion
‎02-16-2018 07:04 PM

I'm not proud of this search, but it does work:

| makeresults 
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| xpath outfield=value "//entry/value"
| eval value=mvjoin(value, ",")
| xpath outfield=key "//entry[value]/key"
| makemv delim="," value
| eval key_value=mvzip(key, value)
| fields key_value
| mvexpand key_value
| rex field=key_value "(?<key>[^,]+),(?<value>.*)"

The mvjoin and makemv lines are there because, for some reason, calling xpath a second time results in the first multivalue field it produced being squashed into a single, space-delimited value instead.

Perhaps someone will come along and show the proper way to do this. I've never used it before.

0 Karma
Reply

sachinlohchab
New Member
‎02-17-2018 05:07 PM

Written below regex to fetch the value I need...works for me..

rex field=_raw "USR_ROLE<\/key>$\n[ ](?.|)<\/value>$"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2018 02:31 PM

Have you looked at the xpath command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sachinlohchab
New Member
‎02-16-2018 02:39 PM

Can you give me the command to fetch per my request. I am new to splunk

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...