Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help needed in the extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help needed in the extraction
Hello
I have a data which has multiple rows under a single event. I want to extract all of them on their "name" along with value. KV_MODE = xml doesn't work on this as the format is a bit different . So I am using transform.conf file to be able to extract this. I have also listed the transforms which I am trying. Any ideas if this is the right way or if there is any better way to do this?
Data:
<ResultSetData>
<Row>
<Column name="HOST_NAME">hostname234</Column>
<Column name="INSTANCE_NAME">xxxxxx/Column>
<Column name="USERNAME">abc</Column>
<Column name="ACCOUNT_STATUS">OPEN</Column>
<Column name="CREATED">12/09/2013 15:01:31</Column>
<Column name="EXPIRY_DATE">06/07/2014 15:01:31</Column>
<Column name="DEFAULT_TABLESPACE">zzzzz</Column>
<Column name="DEFAULT_PROFILE">NO</Column>
</Row>
<Row>
<Column name="HOST_NAME">hostname123</Column>
<Column name="INSTANCE_NAME">xxxxxx</Column>
<Column name="USERNAME">abc123</Column>
<Column name="ACCOUNT_STATUS">OPEN</Column>
<Column name="CREATED">10/17/2012 08:04:56</Column>
<Column name="EXPIRY_DATE">01/19/2013 15:44:13</Column>
<Column name="DEFAULT_TABLESPACE">zzzzz</Column>
<Column name="DEFAULT_PROFILE">NO</Column>
</Row>
</ResultSetData>
transforms.conf
[xml-extr]
REGEX = name=\"(\S+)?\"\>(\S+)?\<
FORMAT = $1::$2
REPEAT_MATCH = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use this:
transforms.conf
[xml-extr]
REGEX = name=\"(\w+)?\"\>([a-zA-Z0-9:// ]*)?\<
FORMAT = $1::$2
REPEAT_MATCH = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi theouhuios ,
You can use the following in ur transforms.conf .
[xml-extr]
REGEX=name=\"HOST_NAME\">(?
MV_ADD = true
Hope this helps !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That will extract just the hostname. I want to avoid writing multiple regexes for each column field. I am trying for a way to capture anything in the name part as a field which a user can search on with corresponding values for it in multiple lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that your example is 1 full event, it's not pure XML. You're lacking a closing for instance, but maybe
<your search> | spath
Can help you extract the fields that you want. A quick test gives me the fields Column{@name} and Column that might contain the information you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried that, but thats not the way I want it. I want it as HOST_NAME as a field with values of hostname234 and hostname 123.So It has to be made to a key=value pair as many users of this data are not technical people.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
