Why am I getting blank rows extracting a multi lin...

andyhine · ‎08-08-2014

I am trying to extract a multi line XML file with many
<title>blah</title> elements.

Using
sourcetype="schedule" | rex field=_raw "\<title\>(?<title>.*?)\</title\>" | table title
or
sourcetype="schedule" | xmlkv title | table title

I get many blank rows. The data does not have any elements.

Using | fields title instead of | table title does not give any empty data as far as I can tell.

Thanks

andyhine · ‎08-08-2014

Thanks that didn't seem to make any difference to my blank rows.

somesoni2 · ‎08-08-2014

Just try this

sourcetype="schedule" | xmlkv | table title

OR 

sourcetype="schedule"|  rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title

sk314 · ‎08-11-2014

It could be that there are events without the xml entries. You could try piping this to remove null values.

|search title!=NULL | table title

andyhine · ‎08-08-2014

Thanks

Trying

sourcetype="schedule" | xmlkv | table title

and

sourcetype="schedule"| rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title

I get a blank table of results but clicking to sort by title get other results.

How can I filter out all these blank rows (and where are they coming from!?)

sk314 · ‎08-08-2014

Instead of rex, you could add the following entry to your props.conf file under "schedule" sourcetype:
kv_mode = xml

Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Developer Spotlight with Qmulos

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Developer Spotlight with Qmulos

Leveraging Automated Threat Analysis Across the Splunk Ecosystem