Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multi XML Field Extraction

tyronetv
Communicator
‎01-14-2013 07:48 AM

Given an entry like below, my goal is to pull all the "fieldName" parameters, essentially recreating the "where" clause being submitted to the database. I would want the output to be along the lines of

_time RID fieldName#1 fieldName#2 fieldName...., Or

2013-01-14 07:32:13.182 | 1358177533172-2801682 | Process Date | Applied Amount

2013-01-14 07:32:13,182 INFO [ndler-RMICallHandler-4364] RID=1358177533172-2801682 c.r.t.services.AbstractServiceWsImpl - {USER ID} -- {SERVICE METHOD} SearchRequest {REQUESTED} <?xml version = '1.0' encoding = 'UTF-8'?> ----Process Date2013-01-112013-01-11Applied Amount4742.814742.81

Any suggestions ?

Tags (2)
0 Karma
Reply

jonuwz
Influencer
‎01-20-2013 04:39 AM

spath will munch your XML into splunk fields.

i.e.

... | spath path=searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname output=fieldnames 
| eval fieldnames=mvjoin(fieldnames,",")

So we're saying, in the xml, get all the instances of searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname, and put it in a field called fieldnames.

This is a multivalue field, so we join the values with a ','

0 Karma
Reply

jonuwz
Influencer
‎01-23-2013 05:41 AM

what happens if you just run it through | spath ?

0 Karma
Reply

tyronetv
Communicator
‎01-22-2013 06:37 AM

I used the following:

... | spath path=searchRequest.callingUserId.applicationId.searchParams.searchParam.fieldName output=fieldnames |eval fieldnames=mvjoin(fieldnames,",")

As I read the documentation on spath the letter case is important (or not, but I tried) but even this did not pull the fields as I would of hoped. As a matter of fact no fields were identified.

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...