Hi I need to fetch key/value pair values from below request.. please help
like for Name key should return Siri
for USER_ROLE return BUS
Request passing as below:
<entry>
<key>Name</key>
<value>Siri</value>
</entry>
<entry>
<key>U_ROLE</key>
<value>BUS</value>
</entry>
@sachinlohchab, based on the sample data provided, try the following run anywhere search. If you have JSON data, KV_MODE=json
should be set in props.conf
for your sourcetype
for automatic search time field extraction. In anycase you can use the commands from | spath
onward for your current base search.
| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| spath
| eval data=mvzip('entry.key','entry.value')
| fields - entry.*
| mvexpand data
| eval data=split(data,",")
| eval key=mvindex(data,0), value=mvindex(data,1)
| fields - data _raw _time
I'm not proud of this search, but it does work:
| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| xpath outfield=value "//entry/value"
| eval value=mvjoin(value, ",")
| xpath outfield=key "//entry[value]/key"
| makemv delim="," value
| eval key_value=mvzip(key, value)
| fields key_value
| mvexpand key_value
| rex field=key_value "(?<key>[^,]+),(?<value>.*)"
The mvjoin
and makemv
lines are there because, for some reason, calling xpath
a second time results in the first multivalue field it produced being squashed into a single, space-delimited value instead.
Perhaps someone will come along and show the proper way to do this. I've never used it before.
Written below regex to fetch the value I need...works for me..
rex field=_raw "USR_ROLE<\/key>$\n[ ](?.|)<\/value>$"
Have you looked at the xpath
command?
Can you give me the command to fetch per my request. I am new to splunk