Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract multivalue fields in multiple event...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chironc
Engager
04-02-2015
04:40 AM
Hello,
I'm trying to extract information from a XML files. The file repeats the following pattern for each IP address.
<IP value="10.10.10.10" name="toto">
<INFOS>
<INFO number="6" severity="1">
<TITLE>test1]></TITLE>
<LAST_UPDATE><![CDATA[1999-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
<INFO number="456" severity="12">
<TITLE>test2</TITLE>
<LAST_UPDATE><![CDATA[2010-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
<INFO number="1234" severity="1">
<TITLE>test3</TITLE>
<LAST_UPDATE><![CDATA[2012-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
</INFOS>
</IP>
In the props.conf files, I've added the parameter: KV_mode = xml. So I have the following multivalue fields:
IP.INFOS.INFO{@number}
6
456
1234
IP.INFOS.INFO{@severity}
1
12
1
IP.INFOS.INFO.LAST_UPDATE
1999-01-01T08:00:00Z
2010-01-01T08:00:00Z
2012-01-01T08:00:00Z
I would like to separate the fields in order to have those events:
10.10.10.10 | 6 | 1 | 1999-01-01T08:00:00Z
10.10.10.10 | 456 | 12 | 2010-01-01T08:00:00Z
10.10.10.10 | 1234 | 1 | 2012-01-01T08:00:00Z
I tried to use mvexpand, mvzip, spath, etc.. But I did not succeed.
Is there a way to do it ?
Best regards,
Corentin
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-02-2015
12:56 PM
Give this a try
Your base search | eval temp=mvzip(mvzip(mvzip('IP.INFOS.INFO.LAST_UPDATE','IP.INFOS.INFO.TITLE',"#"), 'IP.INFOS.INFO{@number}',"#"), 'IP.INFOS.INFO{@severity}',"#") | table IP{@name},IP{@value},temp | mvexpand temp | rex field=temp "(?<LAST_UPDATE>.*)#(?<TITLE>.*)#(?<Number>.*)#(?<Severity>.*)" | rename IP{@name} as IP_Name IP{@value} as IP_Address | fields - IP.* temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-02-2015
12:56 PM
Give this a try
Your base search | eval temp=mvzip(mvzip(mvzip('IP.INFOS.INFO.LAST_UPDATE','IP.INFOS.INFO.TITLE',"#"), 'IP.INFOS.INFO{@number}',"#"), 'IP.INFOS.INFO{@severity}',"#") | table IP{@name},IP{@value},temp | mvexpand temp | rex field=temp "(?<LAST_UPDATE>.*)#(?<TITLE>.*)#(?<Number>.*)#(?<Severity>.*)" | rename IP{@name} as IP_Name IP{@value} as IP_Address | fields - IP.* temp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chironc
Engager
04-03-2015
12:44 AM
Hello,
Thank you. It works !
Best regards,
Get Updates on the Splunk Community!
Updated Team Landing Page in Splunk Observability
We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
