Splunk Search

Multi XML Field Extraction

tyronetv
Communicator

Given an entry like below, my goal is to pull all the "fieldName" parameters, essentially recreating the "where" clause being submitted to the database. I would want the output to be along the lines of

_time RID fieldName#1 fieldName#2 fieldName...., Or

2013-01-14 07:32:13.182 | 1358177533172-2801682 | Process Date | Applied Amount

2013-01-14 07:32:13,182 INFO [ndler-RMICallHandler-4364] RID=1358177533172-2801682 c.r.t.services.AbstractServiceWsImpl - {USER ID} -- {SERVICE METHOD} SearchRequest {REQUESTED} <?xml version = '1.0' encoding = 'UTF-8'?> ----Process Date2013-01-112013-01-11Applied Amount4742.814742.81

Any suggestions ?

Tags (2)
0 Karma

jonuwz
Influencer

spath will munch your XML into splunk fields.

i.e.

... | spath path=searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname output=fieldnames 
| eval fieldnames=mvjoin(fieldnames,",")

So we're saying, in the xml, get all the instances of searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname, and put it in a field called fieldnames.

This is a multivalue field, so we join the values with a ','

0 Karma

jonuwz
Influencer

what happens if you just run it through | spath ?

0 Karma

tyronetv
Communicator

I used the following:

... | spath path=searchRequest.callingUserId.applicationId.searchParams.searchParam.fieldName output=fieldnames |eval fieldnames=mvjoin(fieldnames,",")

As I read the documentation on spath the letter case is important (or not, but I tried) but even this did not pull the fields as I would of hoped. As a matter of fact no fields were identified.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...