Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to extract xml tag fileds

mintucs
New Member
‎05-27-2018 11:28 PM

after iindesing the xml tags i am getting the as show below
i am getting trouble how extract the data from it

  <IDX_BASE>B1102</IDX_BASE>
  <NOM_BASE>LANDES DE COUESME</NOM_BASE>
  <IDX_EQUIPEMENT>501</IDX_EQUIPEMENT>
  <NOM_EQUIPEMENT>E3</NOM_EQUIPEMENT>
  <DH_CONTROLE>2/6/2018 16:6:4</DH_CONTROLE>
  <ETAT_ALARME>ALM</ETAT_ALARME>
  <AVIS_EXPERT>ACCEPTABLE</AVIS_EXPERT>
  <RESUME_DIAG>MB: chocs \xE9pisodiques</RESUME_DIAG>
  <DETAILS_DIAG>
Tags (1)
0 Karma
Reply

TISKAR
Builder
‎05-28-2018 01:45 AM

Hello can you try this please:

in the props.conf 

[xml2]
DATETIME_CONFIG = 
NO_BINARY_CHECK = 1
category = Structured
pulldown_type = 1
SHOULD_LINEMERGE = true
REPORT-xmlkv = xml_trans2
disabled = false

in your transforms.conf add :

[xml_trans2]
REGEX=<([^>]+)>([^<]+)<\/\1>
FORMAT=$1::$2
MV_ADD = true
0 Karma
Reply

niketn
Legend
‎05-28-2018 01:38 AM

@mintucs, your XML Data schema seems incorrect. There should be a root node under which above xml child nodes should be present. If you have xml data in raw events, you can enable KV_MODE=xml in props.conf to have Splunk automatically extract the fields from XML data during search time field discovery.

On similar lines please try the following run anywhere example where | makeresults and | eval _raw pipes generate dummy data as per the question. (PS: I have added <SOMENODE> as root node for the xml to become a valid xml so that spath can work):

| makeresults 
| eval _raw="<SOMENODE>
   <IDX_BASE>B1102</IDX_BASE>
   <NOM_BASE>LANDES DE COUESME</NOM_BASE>
   <IDX_EQUIPEMENT>501</IDX_EQUIPEMENT>
   <NOM_EQUIPEMENT>E3</NOM_EQUIPEMENT>
   <DH_CONTROLE>2/6/2018 16:6:4</DH_CONTROLE>
   <ETAT_ALARME>ALM</ETAT_ALARME>
   <AVIS_EXPERT>ACCEPTABLE</AVIS_EXPERT>
   <RESUME_DIAG>MB: chocs \xE9pisodiques</RESUME_DIAG>
   </SOMENODE>" 
| spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...