Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring XML files in a directory, why isn't Splunk automatically extracting fields at search-time ?

EnterpriseUser
New Member
‎04-28-2015 09:09 PM

I'm new to splunk and just started using it. I want to monitor xml files in a directory. I have used summary indexing.
Splunk for some reason couldn't automatically extract those fields,hence I have used spath to extract fields like region and customerName
Xml files have structure as below:

<Details>
    <Name>ABC</Name>
    <UniqueID>23872378</UniqueID>
    <Count>4</Count>
    <Location>
        <Region>Some Region</Region>
        <Country>Any Country</Country>
        <State>Any State in Country</State>     
        <City>Any City in State</City>
    </Location>     
</Details>  
<Customers>         
    <Customer Name="ABCD XYZ" Address="asdjasdjksj" Contact="2387387843" Email="someone@email.com">
        <Products>
            <Product ID="57" Name="Samsung Galaxy s6" Price="56000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>32GB</InternalMemory>
                <ExpandableMemory>128GB</ExpandableMemory>
            </Product>
        </Products>
        <Products>
            <Product ID="58" Name="Sony Xperia z4" Price="46000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>16GB</InternalMemory>
                <ExpandableMemory>64GB</ExpandableMemory>
            </Product>
        </Products> 
    </Customer>
    <Customer Name="Xyz Pqrs" Address="adsfgfgrt" Contact="2387397843" Email="someone2@email.com">
        <Products>
            <Product ID="57" Name="Samsung Galaxy s5" Price="42000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0</Version>
                </OS>
                <InternalMemory>32GB</InternalMemory>
                <ExpandableMemory>128GB</ExpandableMemory>
            </Product>
        </Products>
        <Products>
            <Product ID="58" Name="LG G3" Price="46000">
                <OS>
                    <Name>Android</Name>
                    <Version>5.0.1</Version>
                </OS>
                <InternalMemory>16GB</InternalMemory>
                <ExpandableMemory>64GB</ExpandableMemory>
            </Product>
        </Products> 
    </Customer>
</Customers>
<Customers>         
    ...
</Customers>
And so on

Splunk searches I want to achieve:
1.List of product sold(Product Name) with count by Region
2.customer wise product purchased.
I didn't use rex, just used splunk searches.

0 Karma
Reply

stephane_cyrill
Builder
‎04-28-2015 10:41 PM

If the extraction is ok,can you provide a sample table of all your extracted fields ?so we can easily help....

0 Karma
Reply

EnterpriseUser
New Member
‎04-29-2015 02:02 AM

some values are coming as "other" while grouping.If i do precise search,i get correct values.Any Idea?

----Edit---
New updated query
index="indexforsamplexml"
| spath output="productSold" path="Report.Customers.Customer.Products.Product{@Name}"
| spath output="branchRegion" path="Report.Details.Location.Region"
| chart count over branchRegion by productSold limit=0

0 Karma
Reply

EnterpriseUser
New Member
‎05-04-2015 04:29 AM

Got one question.I had given sample data which mirrored by data`s xml pattern.
Query which worked on sample xml doesnt seem to work on my data.
Also the second query is not working properly.

link contains sample xml files i used for monitoring
https://drive.google.com/file/d/0B09txzFBEkNgclBBWmdwWjRMa0U/view?usp=sharing

0 Karma
Reply

EnterpriseUser
New Member
‎04-29-2015 12:49 AM

index="indexforsamplexml"
| spath output="nameOfProductSold" path="Report.Customers.Customer.Products.Product{@Name}"
| spath output="branchRegion" path="Report.Details.Location.Region"
|chart count over nameOfProductSold by branchRegion

first query ran somehow. 🙂
http://s27.postimg.org/smyo61moj/Untitled.png

I`ll try with second.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...