Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract multivalue fields in multiple event...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chironc
Engager
04-02-2015
04:40 AM
Hello,
I'm trying to extract information from a XML files. The file repeats the following pattern for each IP address.
<IP value="10.10.10.10" name="toto">
<INFOS>
<INFO number="6" severity="1">
<TITLE>test1]></TITLE>
<LAST_UPDATE><![CDATA[1999-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
<INFO number="456" severity="12">
<TITLE>test2</TITLE>
<LAST_UPDATE><![CDATA[2010-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
<INFO number="1234" severity="1">
<TITLE>test3</TITLE>
<LAST_UPDATE><![CDATA[2012-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
</INFOS>
</IP>
In the props.conf files, I've added the parameter: KV_mode = xml. So I have the following multivalue fields:
IP.INFOS.INFO{@number}
6
456
1234
IP.INFOS.INFO{@severity}
1
12
1
IP.INFOS.INFO.LAST_UPDATE
1999-01-01T08:00:00Z
2010-01-01T08:00:00Z
2012-01-01T08:00:00Z
I would like to separate the fields in order to have those events:
10.10.10.10 | 6 | 1 | 1999-01-01T08:00:00Z
10.10.10.10 | 456 | 12 | 2010-01-01T08:00:00Z
10.10.10.10 | 1234 | 1 | 2012-01-01T08:00:00Z
I tried to use mvexpand, mvzip, spath, etc.. But I did not succeed.
Is there a way to do it ?
Best regards,
Corentin
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-02-2015
12:56 PM
Give this a try
Your base search | eval temp=mvzip(mvzip(mvzip('IP.INFOS.INFO.LAST_UPDATE','IP.INFOS.INFO.TITLE',"#"), 'IP.INFOS.INFO{@number}',"#"), 'IP.INFOS.INFO{@severity}',"#") | table IP{@name},IP{@value},temp | mvexpand temp | rex field=temp "(?<LAST_UPDATE>.*)#(?<TITLE>.*)#(?<Number>.*)#(?<Severity>.*)" | rename IP{@name} as IP_Name IP{@value} as IP_Address | fields - IP.* temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-02-2015
12:56 PM
Give this a try
Your base search | eval temp=mvzip(mvzip(mvzip('IP.INFOS.INFO.LAST_UPDATE','IP.INFOS.INFO.TITLE',"#"), 'IP.INFOS.INFO{@number}',"#"), 'IP.INFOS.INFO{@severity}',"#") | table IP{@name},IP{@value},temp | mvexpand temp | rex field=temp "(?<LAST_UPDATE>.*)#(?<TITLE>.*)#(?<Number>.*)#(?<Severity>.*)" | rename IP{@name} as IP_Name IP{@value} as IP_Address | fields - IP.* temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chironc
Engager
04-03-2015
12:44 AM
Hello,
Thank you. It works !
Best regards,
Get Updates on the Splunk Community!
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
Routing logs with Splunk OTel Collector for Kubernetes
The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...
