Re: How do I extract xml tag using regex?

merrin · ‎03-16-2012

I tried to extract xml tagNames as fields fieldNameStartTag and fieldNameEndTag using the following.

rex field=_raw "<(?.)>([^<]+)</(?.)>"
But it does not extract all tags correctly. For example I have this xml:

abc
xyz

What I'm looking for is fieldNameStartTag and/or fieldNameEndTag to have values "ChildOne" and "ChildTwo". But the regex above gives me values like these:
1. Parent xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.abcd.com"> abc
2. ChildOne>xyz

Any help is appreciated.

gkanapathy · ‎03-16-2012

You should use the spath command, if you're on 4.3 or higher. If you're on older versions, the xmlkv command will also work for you.

emechler_splunk · ‎03-16-2012

Have you checked out the xmlkv command? This allows you to automatically extract KV pairs from XML formatted data without any regex's:

http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/xmlkv

How do I extract xml tag using regex?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation