Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- XML parsing and field mapping
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
XML parsing and field mapping
panwarsagar
Loves-to-Learn
12-30-2020
06:25 AM
Hi,
I have a XML file which i wants to load in Splunk and parse during indexing.
<measType p="1">node_cpu.idle</measType>
<measType p="2">node_cpu.iowait</measType>
<measType p="3">node_cpu.irq</measType>
<measType p="4">node_cpu.nice</measType>
<measType p="5">node_cpu.softirq</measType>
<measType p="6">node_cpu.steal</measType>
<measType p="7">node_cpu.system</measType>
<measType p="8">node_cpu.user</measType>
<measValue measObjLdn="host=xxxxxxxx-auxiliary-0,platform=1,cpu=0,instance=xxxxxxx-auxiliary-0:8001,job=node">
<r p="1">4366091.08</r>
<r p="2">27479.68</r>
<r p="3">0</r>
<r p="4">479</r>
<r p="5">18939.5</r>
<r p="6">1157.43</r>
<r p="7">73459.64</r>
<r p="8">64291.39</r>
</measValue>
This has the measType p1.....p8 and value in measValue p1.....p8. I would like to create field like
node_cpu.idle=4366091.08
node_cpu.iowait=27479.68 and so on.
Could you please guide how I can achieve this using props.conf anf transforms.conf settings
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-31-2020
02:10 AM
index=_internal | head 1 | fields _raw
| eval _raw="<measType p=\"1\">node_cpu.idle</measType>
<measType p=\"2\">node_cpu.iowait</measType>
<measType p=\"3\">node_cpu.irq</measType>
<measType p=\"4\">node_cpu.nice</measType>
<measType p=\"5\">node_cpu.softirq</measType>
<measType p=\"6\">node_cpu.steal</measType>
<measType p=\"7\">node_cpu.system</measType>
<measType p=\"8\">node_cpu.user</measType>
<measValue measObjLdn=\"host=xxxxxxxx-auxiliary-0,platform=1,cpu=0,instance=xxxxxxx-auxiliary-0:8001,job=node\">
<r p=\"1\">4366091.08</r>
<r p=\"2\">27479.68</r>
<r p=\"3\">0</r>
<r p=\"4\">479</r>
<r p=\"5\">18939.5</r>
<r p=\"6\">1157.43</r>
<r p=\"7\">73459.64</r>
<r p=\"8\">64291.39</r>
</measValue>"
| spath
| eval type=mvzip(measType,'measType{@p}'), value=mvzip('measValue.r','measValue.r{@p}'), tmp=mvzip(type,value)
| rename measValue{@measObjLdn} as objLdn
| stats values(objLdn) as objLdn by tmp
| rex field=tmp "(?<type>[\w.]+),(?<type_p>\d),(?<value>[\w.]+),(?<value_p>\d)"
| eval {type}=value
| stats values(node_*) as node_* by objLdn
| rename objLdn as _raw
| kvIf you can extract the fields in props.conf, you should be able to get by with transforms.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-30-2020
02:45 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
panwarsagar
Loves-to-Learn
12-31-2020
01:04 AM
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
