Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help needed in the extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help needed in the extraction
Hello
I have a data which has multiple rows under a single event. I want to extract all of them on their "name" along with value. KV_MODE = xml doesn't work on this as the format is a bit different . So I am using transform.conf file to be able to extract this. I have also listed the transforms which I am trying. Any ideas if this is the right way or if there is any better way to do this?
Data:
<ResultSetData>
<Row>
<Column name="HOST_NAME">hostname234</Column>
<Column name="INSTANCE_NAME">xxxxxx/Column>
<Column name="USERNAME">abc</Column>
<Column name="ACCOUNT_STATUS">OPEN</Column>
<Column name="CREATED">12/09/2013 15:01:31</Column>
<Column name="EXPIRY_DATE">06/07/2014 15:01:31</Column>
<Column name="DEFAULT_TABLESPACE">zzzzz</Column>
<Column name="DEFAULT_PROFILE">NO</Column>
</Row>
<Row>
<Column name="HOST_NAME">hostname123</Column>
<Column name="INSTANCE_NAME">xxxxxx</Column>
<Column name="USERNAME">abc123</Column>
<Column name="ACCOUNT_STATUS">OPEN</Column>
<Column name="CREATED">10/17/2012 08:04:56</Column>
<Column name="EXPIRY_DATE">01/19/2013 15:44:13</Column>
<Column name="DEFAULT_TABLESPACE">zzzzz</Column>
<Column name="DEFAULT_PROFILE">NO</Column>
</Row>
</ResultSetData>
transforms.conf
[xml-extr]
REGEX = name=\"(\S+)?\"\>(\S+)?\<
FORMAT = $1::$2
REPEAT_MATCH = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this:
transforms.conf
[xml-extr]
REGEX = name=\"(\w+)?\"\>([a-zA-Z0-9:// ]*)?\<
FORMAT = $1::$2
REPEAT_MATCH = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi theouhuios ,
You can use the following in ur transforms.conf .
[xml-extr]
REGEX=name=\"HOST_NAME\">(?
MV_ADD = true
Hope this helps !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That will extract just the hostname. I want to avoid writing multiple regexes for each column field. I am trying for a way to capture anything in the name part as a field which a user can search on with corresponding values for it in multiple lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your example is 1 full event, it's not pure XML. You're lacking a closing for instance, but maybe
<your search> | spath
Can help you extract the fields that you want. A quick test gives me the fields Column{@name} and Column that might contain the information you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried that, but thats not the way I want it. I want it as HOST_NAME as a field with values of hostname234 and hostname 123.So It has to be made to a key=value pair as many users of this data are not technical people.
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Feel the Splunk Love: Real Stories from Real Customers
Data Management Digest – November 2025
