Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract Table in Event

RobertRi
Communicator
‎11-28-2020 07:26 AM

Hi Community!

I have a problem to extract a table in an XML event.

The data looks like this

 

 

<data type="info" text="sales:
    VW;1;30.000;
    Bentley;1;70.000;
    Seat;1;15.000;
   Dacia;1;10.000;
   Fiat;1;20.000;
">
<customer>Mr.X</customer>
<time>2020-11-28 16:21:00</time>
</data>

 

 



Now I want to have the fields for cartype, quantity and price (VW;1;30.000;).
So that I can summarize the whole sellings from one day.
Could you please help me with that?

Thank you very much!
Rob

Labels (2)
0 Karma
Reply

RobertRi
Communicator
‎11-30-2020 12:14 AM

Thank you very much!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-28-2020 08:52 AM 
| spath path="data{@text}" output=sales
| rex field=sales max_match=0 "\n\s+(?<cartype>[^;]+);(?<quantity>\d+);(?<price>[^;]+);"
Reply

RobertRi
Communicator
‎12-01-2020 12:13 AM

HI ITWhisperer!

Thank you very much for your answer, whith it I have an overview about my data.

Now I have a second question, regarding the prices.
It seems if there are more than 1 matches, the data will be stored like an array in the field.
If I export it to an csv it looks like this:

VW,2,30.000,0000
25.000,0000,

I have tried to round the price to a 2 digit value after the comma, but this does not work.

How can I grab each item in the field and modify it with an eval command?

Regards
Robert

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 01:48 AM

What does the XML look like in this instance?

0 Karma
Reply

RobertRi
Communicator
‎12-01-2020 01:59 AM

It's the same like above except that the prices has multiple decimal places after the comma.

<data type="info" text="sales:
    VW;1;30.000;
    Bentley;1;70.000,000000;
    Seat;1;15.000,000000;
   Dacia;1;10.000,000000;
   Fiat;1;20.000,000000;
">
<customer>Mr.X</customer>
<time>2020-11-28 16:21:00</time>
</data>
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 02:02 AM 
| spath path="data{@text}" output=sales
| rex field=sales max_match=0 "\n\s+(?<cartype>[^;]+);(?<quantity>\d+);(?<price>[^;,]+);"

Just add a comma to the exclusion list for the price.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...