how we can assign a default value for empty tag wi...

imgarytan · ‎10-19-2020

Hi folks,

Any idea how we can assign a default value for empty tag with KV_MODE=xml?

The reason is, we have a xml segment repeated multiple times under same parent/grandparent, as such same tag names (xpath) repeated multiple times. So one field for each tag name is extracted with a mv value.
Now the issue is if some of the tag in the middle is empty, it will mess up the mv index in these fields.
And we need the full xpath as the field name, so it is hard to do a manual generic field extraction ($1::$2) either.

A quick thought is if we can fill up a special value in the raw, then all mv fields will stay well aligned. But is this the only option?

Any suggestion or better solution?
Or can we do it at search time with sonething like " | rex field=ccnumber mode=sed ..."

Thanks a lot

imgarytan · ‎10-19-2020

Or can we maintain the MV index, to have a mv value like below? so if the third tag is empty, then keep the empty value stay in the right index?
A
B

D

how we can assign a default value for empty tag with KV_MODE=xml?

field extraction

XML

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation