Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to add and parse the xml data into splunk
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add and parse the xml data into splunk
smusunuri
Explorer
12-30-2015
04:15 PM
Structure of the XML file looks like this
10:26:10 PST 16 Nov 2015
<employee details="ename;position;branch" department="XYZ">AA;systems engineer;seattle
</employee>
1:26:10 PST 16 Nov 2015
<employee details="ename;position;branch" department="XYZ">BB;Lead;seattle
CC;Tech Lead,Redmond
</employee>
6:26:10 PST 16 Nov 2015
<employee details="ename;position;branch" department="XYZ">DD;data architect;annapolis
</employee>
I need the output as:
ename position branch
AA systems engineer seattle
BB Lead seattle
CC Tech Lead Redmond
DD data architect annapolis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-30-2015
05:41 PM
The following SEDCMD will remove unwanted xml tags and refer to the delim stanza in transforms
SEDCMD-removeunwanted=s/(\<.*\>)(.*)(\W.*\>)/$2/g
REPORT-extractfields=extract_fields
See http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Anonymizedatausingconfigurationfiles for details
And add the following to your transforms
[extract_fields]
DELIMS = ";"
FIELDS = "ename", "position", "branch"
http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Transformsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smusunuri
Explorer
12-31-2015
11:46 AM
Actually I didn't work for me. Data with in tagsis not accepted by using $2. I'm getting output as
ename
10:26:10 PST 16 Nov 2015 $2
1:26:10 PST 16 Nov 2015 $2
6:26:10 PST 16 Nov 2015 $2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smusunuri
Explorer
12-31-2015
11:54 AM
When I have a single row of values with in the tags-
<employee details="ename;position;branch" department="XYZ">AA;systems engineer;seattle
</employee>
Then I'm able to parse the data properly as I require. But when there are multiple rows ( multiple set of values) as mentioned in the above example posted,
<employee details="ename;position;branch" department="XYZ">BB;Lead;seattle
CC;Tech Lead;Redmond
</employee>
then I'm facing difficult to parse the data.
Example that worked out for me.
Data:
10:26:10 PST 16 Nov 2015
<employee details="ename;position;branch" department="XYZ">AA;systems engineer;seattle
</employee>
1:26:10 PST 16 Nov 2015
<employee details="ename;position;branch" department="XYZ">BB;Lead;seattle
</employee>
6:26:10 PST 16 Nov 2015
<employee details="ename;position;branch" department="XYZ">DD;data architect;annapolis
</employee>
props.conf
[employee]
SHOULD_LINEMERGE = true (combines multiple lines into single event)
MUST_BREAK_AFTER = </employee> (dividing the data into events)
NO_BINARY_CHECK = true
disabled = false
pulldown_type = true
REPORT-employee = emp (transform stanza name)
transforms.conf
[emp]
REGEX = <employee details="ename,position,branch" department="XYZ">(.*?)</employee> (regular expression for capturing the data within the tags)
FORMAT = details::$1 (format of the event)
MV_ADD = true (multivalued field)
REPEAT_MATCH = true
CSV data formatting
Splunk Query:
index = main sourcetype = employee | eval data = split(details,";") | eval name= mvindex(data,0) | eval position = mvindex(data,-2) | eval branch= mvindex(data,-1) | table data, name, position , branch
Output:
ename position branch
AA systems engineer seattle
BB Lead seattle
DD data architect annapolis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-31-2015
12:12 PM
Not sure I understand your comment "When I have a single row of values with in the tags"? Can you share an example of when it doesn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smusunuri
Explorer
12-31-2015
12:15 PM
See above. Modified my comment.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
.conf25 Global Broadcast: Don’t Miss a Moment
Hello Splunkers,
.conf25 is only a click away.
Not able to make it to .conf25 in person? No worries, you can ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What's New in Splunk Observability - August 2025
What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...
