Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

andyhine
New Member
‎08-08-2014 09:51 AM

I am trying to extract a multi line XML file with many
<title>blah</title> elements.

Using
sourcetype="schedule" | rex field=_raw "\<title\>(?<title>.*?)\</title\>" | table title
or
sourcetype="schedule" | xmlkv title | table title

I get many blank rows. The data does not have any elements.

Using | fields title instead of | table title does not give any empty data as far as I can tell.

Thanks

0 Karma
Reply

andyhine
New Member
‎08-08-2014 08:32 PM

Thanks that didn't seem to make any difference to my blank rows.

0 Karma
Reply

somesoni2
Revered Legend
‎08-08-2014 12:37 PM

Just try this

sourcetype="schedule" | xmlkv | table title

OR 

sourcetype="schedule"|  rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title
0 Karma
Reply

sk314
Builder
‎08-11-2014 05:07 PM

It could be that there are events without the xml entries. You could try piping this to remove null values.

|search title!=NULL | table title

0 Karma
Reply

andyhine
New Member
‎08-08-2014 08:24 PM

Thanks

Trying

sourcetype="schedule" | xmlkv | table title

and

sourcetype="schedule"| rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title

I get a blank table of results but clicking to sort by title get other results.

How can I filter out all these blank rows (and where are they coming from!?)

0 Karma
Reply

sk314
Builder
‎08-08-2014 10:47 AM

Instead of rex, you could add the following entry to your props.conf file under "schedule" sourcetype:
kv_mode = xml

0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!