Multi XML Field Extraction

tyronetv · ‎01-14-2013

Given an entry like below, my goal is to pull all the "fieldName" parameters, essentially recreating the "where" clause being submitted to the database. I would want the output to be along the lines of

_time RID fieldName#1 fieldName#2 fieldName...., Or

2013-01-14 07:32:13.182 | 1358177533172-2801682 | Process Date | Applied Amount

2013-01-14 07:32:13,182 INFO [ndler-RMICallHandler-4364] RID=1358177533172-2801682 c.r.t.services.AbstractServiceWsImpl - {USER ID} -- {SERVICE METHOD} SearchRequest {REQUESTED} <?xml version = '1.0' encoding = 'UTF-8'?> ----Process Date2013-01-112013-01-11Applied Amount4742.814742.81

Any suggestions ?

jonuwz · ‎01-20-2013

spath will munch your XML into splunk fields.

i.e.

... | spath path=searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname output=fieldnames 
| eval fieldnames=mvjoin(fieldnames,",")

So we're saying, in the xml, get all the instances of searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname, and put it in a field called fieldnames.

This is a multivalue field, so we join the values with a ','

jonuwz · ‎01-23-2013

what happens if you just run it through | spath ?

tyronetv · ‎01-22-2013

I used the following:

... | spath path=searchRequest.callingUserId.applicationId.searchParams.searchParam.fieldName output=fieldnames |eval fieldnames=mvjoin(fieldnames,",")

As I read the documentation on spath the letter case is important (or not, but I tried) but even this did not pull the fields as I would of hoped. As a matter of fact no fields were identified.

Multi XML Field Extraction

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!