Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Implement Generic Indexer for XML File With Repeating Key Names

moneybox
Explorer
‎12-22-2013 10:14 PM

Hi,
I'm using splunk for few weeks and its seems really great but recently i had some issue with one of the needs in a new project.

My target is to perform indexing and searching by tag inside XML Files within the following format


value
value
value
xxxxz
ceijciejci

I have no idea what will be the inner fields and how deep will they go.

a success would be for me a way to index everything by key-Value so i could search any of the keys and get all matching object with proper value within them.

my senses tells me i need to write some generic regex for this so thats what i did:

LINE_BREAKER=(<FileItem>.*?/) ### Object Bounderis

REGEX = <(?<_KEY_1>.+?)>(?<_VAL_1>.+?)<\/.+?> ### Generic Key-Value Indexer

its working really nice but there is one issue.
when i have 2 duplicate key with the same name and different value its seems like splunk takes only the first one of them [for example if i search Blabla=xxxxz it wont return any results]

is there any way to do it better and solve my issue?

Thanks.
:)

Tags (3)
0 Karma
Reply

moneybox
Explorer
‎12-23-2013 12:33 AM

Thanks Alot!~!

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-23-2013 12:03 AM

You can just add the key

MV_ADD = true

to your transforms extraction. That will turn a field with multiple values into a multi-valued field.

0 Karma
Reply

moneybox
Explorer
‎12-23-2013 12:33 AM

Thanks :)))

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...