Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract Major_Brand_Display_Name value from xml

kirankotla
New Member
‎11-12-2016 04:46 PM 
           <EmailAddress>RON@xyz.COM</EmailAddress>
           <Attributes>
              <Name>Addressee_Name</Name>
              <Value>bng</Value>
           </Attributes>
           <Attributes>
              <Name>xyz</Name>
              <Value>xyz</Value>
           </Attributes>

           <Attributes>
              <Name>pqr</Name>
              <Value></Value>
           </Attributes>
           <Attributes>
              <Name>xxxx</Name>
              <Value>zzzz</Value>
           </Attributes>

        </Subscribers>
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-12-2016 06:34 PM

If all of this is a part of single event and you want to extract any one of the above tag name or tag values then just replace the last line of the below query with that tag name exa. | where tagName="Major_Brand_Display_Name | fields - tagName"

index=yourIndex sourcetype=yourSourcetype earliest=-7d@d
| rex field=_raw max_match=0 "\<Name\>(?<name>[^\<]+)<\/Name\>" 
| rex field=_raw max_match=0 "\<Value\>(?<value>[^\<]+)\<\/Value\>" 
| eval z=mvzip(name, value, "~") 
| mvexpand z 
| rex field=z "(?<tagName>[^~]+)~(?<tagValue>.*)" 
| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

Updating as per comments

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-13-2016 08:18 PM

I am down voting this as the question data has been changed after answering the question. the answer given below was for the earlier data (xml tags and values) and it seemed to have work fine for @kirankotla as per user's comments. now at its current state the xml data in question is not intuitive for community users to answer this question and lacks info as to where does "major_brand_display_name" exist as part of xml. Is it a tag <Name> for which a <Value> is required or this text exists as part of <Value> itself and needs an extraction?

0 Karma
Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎11-12-2016 06:34 PM

If all of this is a part of single event and you want to extract any one of the above tag name or tag values then just replace the last line of the below query with that tag name exa. | where tagName="Major_Brand_Display_Name | fields - tagName"

index=yourIndex sourcetype=yourSourcetype earliest=-7d@d
| rex field=_raw max_match=0 "\<Name\>(?<name>[^\<]+)<\/Name\>" 
| rex field=_raw max_match=0 "\<Value\>(?<value>[^\<]+)\<\/Value\>" 
| eval z=mvzip(name, value, "~") 
| mvexpand z 
| rex field=z "(?<tagName>[^~]+)~(?<tagValue>.*)" 
| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

Updating as per comments

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-12-2016 07:37 PM

Firstly choose either the time picker for last 7 days or in your query add the earliest=-7d@din the first line where you search your query to get the above xml data as event as something like index=yourIndex sourcetype=yourSourcetype earliest=-7d@d. After that change the last three lines of query as follows where you add the _time in table first, and then chart it later on:

| table _time, tagName, tagValue 
| where tagName="Major_Brand_Display_Name"
| chart count(tagValue) over _time by tagValue

If this works well then please accept the answer and upvote so the question can be closed.

0 Karma
Reply
Solved! Jump to solution

kirankotla
New Member
‎11-13-2016 08:28 PM

Hi gokadroid

As per privacy policy,i removed original data.

0 Karma
Reply
Solved! Jump to solution

kirankotla
New Member
‎11-12-2016 07:21 PM

Awesome! thank you so much.
Is it possible to use timechat based on Major_Brand_Display_Name line timechart span=7d count by Major_Brand_Display_Name

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...