Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to split multilevel XML to extract fields and values?

Shan
Builder
‎07-15-2015 05:45 AM 
<messaging><messaging_id>data_range</messaging_id><currentTimeStamp>2015-06-11-090445569807</currentTimeStamp>
<TransStatus>Fee Query</TransStatus><IpAddress>180.31.2.21</IpAddress><Port>1342</Port><Header><termID>GET</termID>
</Header><partner><id><range>GTEST</range></id></partner>

From the above mentioned result.
I need to get the values as mentioned below using the rex command. Is it possible?
All the above mentioned values are available in single field _raw.

messaging_id   |    currentTimeStamp     |      range  
data_range     | 2015-06-11-090445569807 |      GTEST

In some posts I saw show we can separate it using spath.
I tried the same, but it's not working.
I want to split it like below.
If any other solution is out there, let me know that too.

Sample Code 

<vendorProductSet vendorID="2">
            <product productID="17" units="mm" >
                <prodName nameGroup="custom">
                    <locName locale="all">APLI 01209</locName>
                </prodName>
                <desc descGroup="custom">
                    <locDesc locale="es">Precios</locDesc>
                    <locDesc locale="fr">Prix</locDesc>
                    <locDesc locale="de">Preise</locDesc>
                    <locDesc locale="ca">Preus</locDesc>
                    <locDesc locale="pt">Preços</locDesc> 
                </desc>
           </product>

       | spath output=locDesc path=vendorProductSet.product.desc.locDesc

Result should be :

Precios Prix Preise

I tried with below examples, but it's not working. 

source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View"
 | spath Masking_View.View_Info.stor_grpname 
 | spath Masking_View.View_Info.Device.dev_name  
 | spath Masking_View.View_Info.Totals.total_dev_cap_mb  
 | table  Masking_View.View_Info.stor_grpname

props.conf

C:\Program Files\Splunk\etc\system\local

source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View" 
 | rename Masking_View.View_Info.stor_grpname as sg_name
 | rename Masking_View.View_Info.Device.dev_name as dev_name
 | rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb 
 | fields sg_name, dev_name, total_dev_cap_mb | eval f=substr(dev_name,1,2)  | table f

and

 source="D:\\Masking_View.log" host="RAKESH-KR" sourcetype="Masking_View"  | rex field=_raw  "^(?:[^ \n]* ){7}(?P<xml>.+)"  | spath xml
0 Karma
Reply

sbbadri
Motivator
‎07-15-2015 02:13 PM

Hi Shankarananth,

you can try to extract the field by using props.conf and transforms.conf instead of spath.

Below is example

$SPLUNK_HOME/etc/app/your_app/local/props.conf

[your_sourcetype]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields

$SPLUNK_HOME/etc/app/your_app/local/transforms.conf

[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2 
MV_ADD = True

I hope this will help you.

Regards,
Badri Srinivas B

0 Karma
Reply

Shan
Builder
‎07-23-2015 06:21 AM

Hai Badri Srinivas,

Thanks for your answer and sorry for my late response.
As you mentioned i have been added required details in props.conf and transforms.conf.

transforms.conf

[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2
MV_ADD = True

props.conf

[Gate]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields

Still I'm not getting that XMl split-ted values.
Might be i'm doing something wrong in search query.

below mentioned is the search query i'm using.

sourcetype="Gate_View"
| rename Masking_View.View_Info.stor_grpname as sg_name
| rename Masking_View.View_Info.Device.dev_name as dev_name
| rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb
| fields sg_name, dev_name, total_dev_cap_mb

If i'm wrong kindly correct me .

Thanks in advance.

0 Karma
Reply

sbbadri
Motivator
‎07-27-2015 08:19 AM

Hi Shankarananth,

You need to change the regex expression according to you xml source.

Regards,
Badri Srinivas B

0 Karma
Reply

Shan
Builder
‎07-23-2015 06:14 AM

Hi Badri Srinivas,

Thanks for your reply and sorry for late reply.
I added details as u mentioned in props.conf and transforms.conf . But still it's not working for me .
I think i am doing some wrong approach in search query.
Below mentioned is the search query i'm using to fetch that xml data filed.

sourcetype="Masking_View"
| rename Masking_View.View_Info.stor_grpname as sg_name
| rename Masking_View.View_Info.Device.dev_name as dev_name
| rename Masking_View.View_Info.Totals.total_dev_cap_mb as total_dev_cap_mb
| fields sg_name, dev_name, total_dev_cap_mb | eval f=substr(dev_name,1,2) | table f

If i'm wrong correct me.
Thanks in advance .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...