Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data Model - How to easily add XML elements

czzpl9
New Member
‎12-04-2013 12:00 PM

Have recently installed the new Splunk 6 and started the process of building Data models. Most of my data sources tend to be application based logs with very mixed formats and it doesn't make sense to specify the entire file as XML. As a result, when building a targeted search/dashboard I will pipe "|" my search to xmlkv to extract the input request portion.

With the new Data Model, it is easy enough to add children that narrow the search result to just the lines that contain XML data, but I'm not seeing a way to easily add all XML attributes (short of 1 by 1 single extractions)

Am I overlooking something?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kpdonahoe31768
Explorer
‎04-08-2014 02:10 PM

I've been adding eval expression attributes using the spath(_raw,Parent.Child{@attribute}) method to get at all my xml attribute=value pairs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kpdonahoe31768
Explorer
‎04-08-2014 02:10 PM

I've been adding eval expression attributes using the spath(_raw,Parent.Child{@attribute}) method to get at all my xml attribute=value pairs.

0 Karma
Reply
Solved! Jump to solution

splunk_worker
Path Finder
‎06-24-2014 07:10 PM

Hi

I'm also facing the same problem. Where to add spath(_raw,Parent.Child{@attribute}) in Data Modeling step?

This is my query and I want to add it to Data Model. Can you please help me with steps?

index=abc | rex "(?{[^}]+})" | mvexpand json_field | spath input=json_field

  1. created root event with index=abc
  2. added a regular express for json_field.

What is the next step for spath? If would be great if you give the steps.

Thanks in advance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...