Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How can I extract fields as an array?

GersonGarcia
Explorer
‎10-03-2017 11:23 AM

Dear friends,

I have one event in my log file that my user want to extract fields as an array. The event is:

RequestTime="14 Sep 2017 23:59:47.819" RequesterIP="10.108.18.9" HTTPDThreadID="@http-0.0.0.0-3043-6" RequestType="AddMeterReadJob" RequestLen="2755" RequestTimeUnix="1505433587.819" ResponseType="JobIDResponse" ResponseLen="3652" ResponseTimeUnix="1505433587.866" ResponseTime="14 Sep 2017 23:59:47.866" ElapsedTime="0.047" OpenThreadCount="0" RequestXML='<urn:AddMeterReadJob xmlns:urn="urn:com:ssn:schema:service:v1.9:JobManager.xsd" AutoActivate="true"><urn:JobInfo><urn:Name>MeterInquiry_MeterRead_SYNC</urn:Name></urn:JobInfo><urn:MeterReadJob><urn:DeviceMacID>00:13:50:03:00:42:3a:ce</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:05:1e</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:49:88:7a</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:31:bc</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:15:21</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:2c:3f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:14:a9</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:3f:2f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:44:0d:16</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:47:fb:8f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fc:63</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:43:8c:3c</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:14:d3</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fb:8c</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3a:ef:90</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:10:32</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3e:b1:c3</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:0b:90</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:f6:61</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3d:1a:d9</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:61:fa:f9</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fc:38</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3c:23:74</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3e:5e:b3</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:49:05:45</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3b:14:a7</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:bf:09</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:6f:bd</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:47:70:a0</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:3e:a1:27</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:43:8c:46</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:42:c9:c8</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fb:e8</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:40:d2:11</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:e1:ae</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:41:fd:6f</urn:DeviceMacID><urn:DeviceMacID>00:13:50:03:00:48:fb:65</urn:DeviceMacID><urn:MeterReadType><urn1:Name xmlns:urn1="urn:com:ssn:schema:service:v1.9:CommonEnumerations.xsd">JOB_OP_REGISTER_CURR_READ</urn1:Name></urn:MeterReadType><urn:NumberRetries>0</urn:NumberRetries><urn:Priority><urn1:Name xmlns:urn1="urn:com:ssn:schema:service:v1.9:CommonEnumerations.xsd">JOB_PRIORITY_HIGH</urn1:Name></urn:Priority></urn:MeterReadJob><urn:Schedule><urn:Immediate/></urn:Schedule><JobID>208115248</JobID></urn:AddMeterReadJob>'

I need to be able to get a list of urn:DeviceMacID and be able to manipulate them as field.

Is there any way?

Thank you

Gerson Garcia

0 Karma
Reply
Highlighted

Re: How can I extract fields as an array?

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2017 11:54 AM

Here's one way.

<your base search> | rex field=RequestXML max_match=0 "\<urn:DeviceMacID>(?<DeviceMacID>[^\<]*)" | mvexpand DeviceMacID | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply