Re: Join multiple fields from xml

roblr052 · ‎05-25-2018

I want to join these different product_id's from an XML file into one table:

<product_detail> 
  <product_id>1003C</product_id>
<product_detail>
  <product_id>1002C</product_id>
</product_detail>

Example: 1003C,1002C

How do I get the output of these multiple values into a semi-colon?

niketn · ‎05-25-2018

@roblr052, your sample XML data seems incorrect. Your first <product_detail> does not have an end node. I am not sure if that is how the data is or whether it was a type while posting the sample data here.

Following is a run anywhere example with corrected sample data and spath command:

|  makeresults
|  eval _raw="<data>
                 <product_detail> 
                    <product_id>1003C</product_id>
                 </product_detail>
                 <product_detail>
                    <product_id>1002C</product_id>
                 </product_detail>
              </data>"
| spath

Please try out and confirm.

If correct xml data is indexed, then either KV_MODE=xml should be used to get xml fields extracted automatically during search time field discovery.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Join multiple fields from xml

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation