Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Implement Generic Indexer for XML File With Repeating Key Names

moneybox
Explorer
‎12-22-2013 10:14 PM

Hi,
I'm using splunk for few weeks and its seems really great but recently i had some issue with one of the needs in a new project.

My target is to perform indexing and searching by tag inside XML Files within the following format


value
value
value
xxxxz
ceijciejci

I have no idea what will be the inner fields and how deep will they go.

a success would be for me a way to index everything by key-Value so i could search any of the keys and get all matching object with proper value within them.

my senses tells me i need to write some generic regex for this so thats what i did:

LINE_BREAKER=(<FileItem>.*?/) ### Object Bounderis

REGEX = <(?<_KEY_1>.+?)>(?<_VAL_1>.+?)<\/.+?> ### Generic Key-Value Indexer

its working really nice but there is one issue.
when i have 2 duplicate key with the same name and different value its seems like splunk takes only the first one of them [for example if i search Blabla=xxxxz it wont return any results]

is there any way to do it better and solve my issue?

Thanks.
:)

Tags (3)
0 Karma
Reply

moneybox
Explorer
‎12-23-2013 12:33 AM

Thanks Alot!~!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-23-2013 12:03 AM

You can just add the key

MV_ADD = true

to your transforms extraction. That will turn a field with multiple values into a multi-valued field.

0 Karma
Reply

moneybox
Explorer
‎12-23-2013 12:33 AM

Thanks :)))

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...