Getting Data In
Highlighted

How to Fetch key/value pair from webservice request?

New Member

Hi I need to fetch key/value pair values from below request.. please help

like for Name key should return Siri
for USER_ROLE return BUS

Request passing as below:

        <entry>
            <key>Name</key>
            <value>Siri</value>
        </entry>
        <entry>
            <key>U_ROLE</key>
            <value>BUS</value>
        </entry>
0 Karma
Highlighted

Re: How to Fetch key/value pair from webservice request?

SplunkTrust
SplunkTrust

Have you looked at the xpath command?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to Fetch key/value pair from webservice request?

New Member

Can you give me the command to fetch per my request. I am new to splunk

0 Karma
Highlighted

Re: How to Fetch key/value pair from webservice request?

Champion

I'm not proud of this search, but it does work:

| makeresults 
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| xpath outfield=value "//entry/value"
| eval value=mvjoin(value, ",")
| xpath outfield=key "//entry[value]/key"
| makemv delim="," value
| eval key_value=mvzip(key, value)
| fields key_value
| mvexpand key_value
| rex field=key_value "(?<key>[^,]+),(?<value>.*)"

The mvjoin and makemv lines are there because, for some reason, calling xpath a second time results in the first multivalue field it produced being squashed into a single, space-delimited value instead.

Perhaps someone will come along and show the proper way to do this. I've never used it before.

0 Karma
Highlighted

Re: How to Fetch key/value pair from webservice request?

New Member

Written below regex to fetch the value I need...works for me..

rex field=raw "USRROLE<\/key>$\n[ ](?.|)<\/value>$"

0 Karma
Highlighted

Re: How to Fetch key/value pair from webservice request?

Legend

@sachinlohchab, based on the sample data provided, try the following run anywhere search. If you have JSON data, KV_MODE=json should be set in props.conf for your sourcetype for automatic search time field extraction. In anycase you can use the commands from | spath onward for your current base search.

| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| spath
| eval data=mvzip('entry.key','entry.value')
| fields - entry.*
| mvexpand data
| eval data=split(data,",")
| eval key=mvindex(data,0), value=mvindex(data,1)
| fields - data _raw _time



| eval message="Happy Splunking!!!"


0 Karma