Splunk Search
Highlighted

How to create the Regular Expression for the xml

Explorer

Hi Team,

I have XML in the format present below and i am trying to use field transformation and field extraction in order to extract the field in people format.

Could you please help me in creating regular expression for this xml

<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>

I would like to have a single regular expression which i can use to extract all the field values and field name.

I tried to use below

- \<\w?\w?\d?\:([^\>]+)\>([^\<]+)\<\/

But its not capturing the last one Argus

So i would like to know if it can be possible if yes then what would be the expression.

Many Thanks

0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Legend

@m7787580, any reason you are not using spath or xpath command?




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

SplunkTrust
SplunkTrust

Your regex string was very close. The colon is optional so I put a question mark after it in the regex. This worked for me on regex101.com with your sample data.

\<\w?\w?\d?\:?([^\>]+)\>([^\<]+)\<\/
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Explorer

Thanks for coming back to me.

 <Na**me**>Argus</Name>

Then it is only capturing me part from Name and i want full Name to be rexed out.

Many Thanks,

0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Esteemed Legend

Why not use spath (you can certainly go with @richgalloway's answer)?

0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Explorer

Hi Richgalloway's

I am not sure how to use spath.

If you help me in understanding the syntax and usage it would be helpfull.

Many Thanks,

0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Esteemed Legend

You are going to LOVE this. Just add this to the end of your existing search and freak out:

| spath
0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Explorer

Hi wood,

I still cannot see the fields getting extracted 😞

0 Karma
Highlighted

Re: How to create the Regular Expression for the xml

Esteemed Legend

Try this and then figure out what is what is wonky in your search (by default it works from the _raw field)

| makeresults
| eval _raw="<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>"
| spath
0 Karma