Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create the Regular Expression for the xml

m7787580
Explorer
‎06-22-2017 08:48 AM

Hi Team,

I have XML in the format present below and i am trying to use field transformation and field extraction in order to extract the field in people format.

Could you please help me in creating regular expression for this xml

<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>

I would like to have a single regular expression which i can use to extract all the field values and field name.

I tried to use below

- \<\w?\w?\d?\:([^\>]+)\>([^\<]+)\<\/

But its not capturing the last one Argus

So i would like to know if it can be possible if yes then what would be the expression.

Many Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2017 01:01 PM

Why not use spath (you can certainly go with @richgalloway's answer)?

0 Karma
Reply

m7787580
Explorer
‎06-23-2017 02:50 AM

Hi Richgalloway's

I am not sure how to use spath.

If you help me in understanding the syntax and usage it would be helpfull.

Many Thanks,

0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2017 03:01 AM

You are going to LOVE this. Just add this to the end of your existing search and freak out:

| spath
0 Karma
Reply

m7787580
Explorer
‎06-23-2017 03:21 AM

Hi wood,

I still cannot see the fields getting extracted 😞

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2017 09:03 AM

Try this and then figure out what is what is wonky in your search (by default it works from the _raw field)

| makeresults
| eval _raw="<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>"
| spath
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-22-2017 10:59 AM

Your regex string was very close. The colon is optional so I put a question mark after it in the regex. This worked for me on regex101.com with your sample data.

\<\w?\w?\d?\:?([^\>]+)\>([^\<]+)\<\/
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

m7787580
Explorer
‎06-23-2017 01:35 AM

Thanks for coming back to me.

 <Na**me**>Argus</Name>

Then it is only capturing me part from Name and i want full Name to be rexed out.

Many Thanks,

0 Karma
Reply

niketn
Legend
‎06-22-2017 10:37 AM

@m7787580, any reason you are not using spath or xpath command?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...