Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

XML parsing and field mapping

panwarsagar
Loves-to-Learn
‎12-30-2020 06:25 AM

Hi,

 

I have a XML file which i wants to load in Splunk and parse during indexing.

<measType p="1">node_cpu.idle</measType>
<measType p="2">node_cpu.iowait</measType>
<measType p="3">node_cpu.irq</measType>
<measType p="4">node_cpu.nice</measType>
<measType p="5">node_cpu.softirq</measType>
<measType p="6">node_cpu.steal</measType>
<measType p="7">node_cpu.system</measType>
<measType p="8">node_cpu.user</measType>
<measValue measObjLdn="host=xxxxxxxx-auxiliary-0,platform=1,cpu=0,instance=xxxxxxx-auxiliary-0:8001,job=node">
<r p="1">4366091.08</r>
<r p="2">27479.68</r>
<r p="3">0</r>
<r p="4">479</r>
<r p="5">18939.5</r>
<r p="6">1157.43</r>
<r p="7">73459.64</r>
<r p="8">64291.39</r>
</measValue>

This has the measType p1.....p8 and value in measValue  p1.....p8. I would like to create field like 

node_cpu.idle=4366091.08

node_cpu.iowait=27479.68 and so on.

 

Could you please guide how I can achieve this using props.conf anf transforms.conf settings 

Labels (2)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎12-31-2020 02:10 AM

 

index=_internal | head 1 | fields _raw
| eval _raw="<measType p=\"1\">node_cpu.idle</measType>
<measType p=\"2\">node_cpu.iowait</measType>
<measType p=\"3\">node_cpu.irq</measType>
<measType p=\"4\">node_cpu.nice</measType>
<measType p=\"5\">node_cpu.softirq</measType>
<measType p=\"6\">node_cpu.steal</measType>
<measType p=\"7\">node_cpu.system</measType>
<measType p=\"8\">node_cpu.user</measType>
<measValue measObjLdn=\"host=xxxxxxxx-auxiliary-0,platform=1,cpu=0,instance=xxxxxxx-auxiliary-0:8001,job=node\">
<r p=\"1\">4366091.08</r>
<r p=\"2\">27479.68</r>
<r p=\"3\">0</r>
<r p=\"4\">479</r>
<r p=\"5\">18939.5</r>
<r p=\"6\">1157.43</r>
<r p=\"7\">73459.64</r>
<r p=\"8\">64291.39</r>
</measValue>"
| spath
| eval type=mvzip(measType,'measType{@p}'), value=mvzip('measValue.r','measValue.r{@p}'), tmp=mvzip(type,value)
| rename measValue{@measObjLdn} as objLdn
| stats values(objLdn) as objLdn by tmp
| rex field=tmp "(?<type>[\w.]+),(?<type_p>\d),(?<value>[\w.]+),(?<value_p>\d)"
| eval {type}=value
| stats values(node_*) as node_* by objLdn
| rename objLdn as _raw
| kv

If you can extract the fields in props.conf, you should be able to get by with transforms.conf.

 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-30-2020 02:45 PM

https://community.splunk.com/t5/Getting-Data-In/How-to-configure-XML-data-parsing/m-p/279706

0 Karma
Reply

panwarsagar
Loves-to-Learn
‎12-31-2020 01:04 AM

Sorry to say this doesn't provide solution to my problem. 

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...