Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring XML files in a directory, why isn't Splunk automatically extracting fields at search-time ?

EnterpriseUser
New Member
‎04-28-2015 09:09 PM

I'm new to splunk and just started using it. I want to monitor xml files in a directory. I have used summary indexing.
Splunk for some reason couldn't automatically extract those fields,hence I have used spath to extract fields like region and customerName
Xml files have structure as below:

<Details>
    <Name>ABC</Name>
    <UniqueID>23872378</UniqueID>
    <Count>4</Count>
    <Location>
        <Region>Some Region</Region>
        <Country>Any Country</Country>
        <State>Any State in Country</State>     
        <City>Any City in State</City>
    </Location>     
</Details>  
<Customers>         
    <Customer Name="ABCD XYZ" Address="asdjasdjksj" Contact="2387387843" Email="someone@email.com">
        <Products>
            <Product ID="57" Name="Samsung Galaxy s6" Price="56000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>32GB</InternalMemory>
                <ExpandableMemory>128GB</ExpandableMemory>
            </Product>
        </Products>
        <Products>
            <Product ID="58" Name="Sony Xperia z4" Price="46000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>16GB</InternalMemory>
                <ExpandableMemory>64GB</ExpandableMemory>
            </Product>
        </Products> 
    </Customer>
    <Customer Name="Xyz Pqrs" Address="adsfgfgrt" Contact="2387397843" Email="someone2@email.com">
        <Products>
            <Product ID="57" Name="Samsung Galaxy s5" Price="42000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0</Version>
                </OS>
                <InternalMemory>32GB</InternalMemory>
                <ExpandableMemory>128GB</ExpandableMemory>
            </Product>
        </Products>
        <Products>
            <Product ID="58" Name="LG G3" Price="46000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>16GB</InternalMemory>
                <ExpandableMemory>64GB</ExpandableMemory>
            </Product>
        </Products> 
    </Customer>
</Customers>
<Customers>         
    ...
</Customers>
And so on

Splunk searches I want to achieve:
1.List of product sold(Product Name) with count by Region
2.customer wise product purchased.
I didn't use rex, just used splunk searches.

0 Karma
Reply

stephane_cyrill
Builder
‎04-28-2015 10:41 PM

If the extraction is ok,can you provide a sample table of all your extracted fields ?so we can easily help....

0 Karma
Reply

EnterpriseUser
New Member
‎04-29-2015 02:02 AM

some values are coming as "other" while grouping.If i do precise search,i get correct values.Any Idea?

----Edit---
New updated query
index="indexforsamplexml"
| spath output="productSold" path="Report.Customers.Customer.Products.Product{@Name}"
| spath output="branchRegion" path="Report.Details.Location.Region"
| chart count over branchRegion by productSold limit=0

0 Karma
Reply

EnterpriseUser
New Member
‎05-04-2015 04:29 AM

Got one question.I had given sample data which mirrored by data`s xml pattern.
Query which worked on sample xml doesnt seem to work on my data.
Also the second query is not working properly.

link contains sample xml files i used for monitoring
https://drive.google.com/file/d/0B09txzFBEkNgclBBWmdwWjRMa0U/view?usp=sharing

0 Karma
Reply

EnterpriseUser
New Member
‎04-29-2015 12:49 AM

index="indexforsamplexml"
| spath output="nameOfProductSold" path="Report.Customers.Customer.Products.Product{@Name}"
| spath output="branchRegion" path="Report.Details.Location.Region"
|chart count over nameOfProductSold by branchRegion

first query ran somehow. 🙂
http://s27.postimg.org/smyo61moj/Untitled.png

I`ll try with second.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...