Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitoring XML files in a directory, why isn't Splunk automatically extracting fields at search-time ?

EnterpriseUser
New Member
‎04-28-2015 09:09 PM

I'm new to splunk and just started using it. I want to monitor xml files in a directory. I have used summary indexing.
Splunk for some reason couldn't automatically extract those fields,hence I have used spath to extract fields like region and customerName
Xml files have structure as below:

<Details>
    <Name>ABC</Name>
    <UniqueID>23872378</UniqueID>
    <Count>4</Count>
    <Location>
        <Region>Some Region</Region>
        <Country>Any Country</Country>
        <State>Any State in Country</State>     
        <City>Any City in State</City>
    </Location>     
</Details>  
<Customers>         
    <Customer Name="ABCD XYZ" Address="asdjasdjksj" Contact="2387387843" Email="someone@email.com">
        <Products>
            <Product ID="57" Name="Samsung Galaxy s6" Price="56000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>32GB</InternalMemory>
                <ExpandableMemory>128GB</ExpandableMemory>
            </Product>
        </Products>
        <Products>
            <Product ID="58" Name="Sony Xperia z4" Price="46000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>16GB</InternalMemory>
                <ExpandableMemory>64GB</ExpandableMemory>
            </Product>
        </Products> 
    </Customer>
    <Customer Name="Xyz Pqrs" Address="adsfgfgrt" Contact="2387397843" Email="someone2@email.com">
        <Products>
            <Product ID="57" Name="Samsung Galaxy s5" Price="42000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0</Version>
                </OS>
                <InternalMemory>32GB</InternalMemory>
                <ExpandableMemory>128GB</ExpandableMemory>
            </Product>
        </Products>
        <Products>
            <Product ID="58" Name="LG G3" Price="46000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>16GB</InternalMemory>
                <ExpandableMemory>64GB</ExpandableMemory>
            </Product>
        </Products> 
    </Customer>
</Customers>
<Customers>         
    ...
</Customers>
And so on

Splunk searches I want to achieve:
1.List of product sold(Product Name) with count by Region
2.customer wise product purchased.
I didn't use rex, just used splunk searches.

0 Karma
Reply

stephane_cyrill
Builder
‎04-28-2015 10:41 PM

If the extraction is ok,can you provide a sample table of all your extracted fields ?so we can easily help....

0 Karma
Reply

EnterpriseUser
New Member
‎04-29-2015 02:02 AM

some values are coming as "other" while grouping.If i do precise search,i get correct values.Any Idea?

----Edit---
New updated query
index="indexforsamplexml"
| spath output="productSold" path="Report.Customers.Customer.Products.Product{@Name}"
| spath output="branchRegion" path="Report.Details.Location.Region"
| chart count over branchRegion by productSold limit=0

0 Karma
Reply

EnterpriseUser
New Member
‎05-04-2015 04:29 AM

Got one question.I had given sample data which mirrored by data`s xml pattern.
Query which worked on sample xml doesnt seem to work on my data.
Also the second query is not working properly.

link contains sample xml files i used for monitoring
https://drive.google.com/file/d/0B09txzFBEkNgclBBWmdwWjRMa0U/view?usp=sharing

0 Karma
Reply

EnterpriseUser
New Member
‎04-29-2015 12:49 AM

index="indexforsamplexml"
| spath output="nameOfProductSold" path="Report.Customers.Customer.Products.Product{@Name}"
| spath output="branchRegion" path="Report.Details.Location.Region"
|chart count over nameOfProductSold by branchRegion

first query ran somehow. 🙂
http://s27.postimg.org/smyo61moj/Untitled.png

I`ll try with second.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...