I am trying to extract a multi line XML file with many
<title>blah</title>
elements.
Using
sourcetype="schedule" | rex field=_raw "\<title\>(?<title>.*?)\</title\>" | table title
or
sourcetype="schedule" | xmlkv title | table title
I get many blank rows. The data does not have any
Using | fields title instead of | table title does not give any empty data as far as I can tell.
Thanks
Thanks that didn't seem to make any difference to my blank rows.
Just try this
sourcetype="schedule" | xmlkv | table title
OR
sourcetype="schedule"| rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title
It could be that there are events without the xml entries. You could try piping this to remove null values.
|search title!=NULL | table title
Thanks
Trying
sourcetype="schedule" | xmlkv | table title
and
sourcetype="schedule"| rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title
I get a blank table of results but clicking to sort by title get other results.
How can I filter out all these blank rows (and where are they coming from!?)
Instead of rex, you could add the following entry to your props.conf file under "schedule" sourcetype:
kv_mode = xml