Solved: Extract string within specific tag

kirangurram · ‎03-19-2019

Hello Experts ,
Need your assistance to extract output from one of the below XML tags.
I have three XML tags with same naming convention and I want only extract specific value 3 from the below tags.
can you help me to provide rex commend (or) any other commend which will only extract value 3 from the below tags.

<Val Ty="CHAR">Feedback</Val>
<Val Ty="CHAR">3</Val>
<Val Ty="CHAR">TRST</Val>

your help is much appreciated.

vnravikumar · ‎03-19-2019

Hi

Try this

|makeresults  |eval tag="<Val Ty=\"CHAR\">Feedback</Val>
<Val Ty=\"CHAR\">3</Val>
<Val Ty=\"CHAR\">TRST</Val>" |rex field=tag "CHAR\"\>(?P<output>(\d+))\<"

OR

| makeresults 
| eval tag="<Val Ty=\"CHAR\">Feedback</Val>
 <Val Ty=\"CHAR\">3</Val>
 <Val Ty=\"CHAR\">TRST</Val>" 
| rex field=tag max_match=0 "\"CHAR\">(?P<output>.+)<" 
| eval result = mvindex(output,1)

View solution in original post

kirangurram · ‎03-19-2019

Thanks @vnravikumar , below solution works.
Second solution didnt give me desired results.

|makeresults |eval tag="Feedback
3
TRST" |rex field=tag "CHAR\">(?P(\d+))<"

vnravikumar · ‎03-19-2019

Hi

Try this

|makeresults  |eval tag="<Val Ty=\"CHAR\">Feedback</Val>
<Val Ty=\"CHAR\">3</Val>
<Val Ty=\"CHAR\">TRST</Val>" |rex field=tag "CHAR\"\>(?P<output>(\d+))\<"

OR

| makeresults 
| eval tag="<Val Ty=\"CHAR\">Feedback</Val>
 <Val Ty=\"CHAR\">3</Val>
 <Val Ty=\"CHAR\">TRST</Val>" 
| rex field=tag max_match=0 "\"CHAR\">(?P<output>.+)<" 
| eval result = mvindex(output,1)

Extract string within specific tag

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation