Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

andyhine
New Member
‎08-08-2014 09:51 AM

I am trying to extract a multi line XML file with many
<title>blah</title> elements.

Using
sourcetype="schedule" | rex field=_raw "\<title\>(?<title>.*?)\</title\>" | table title
or
sourcetype="schedule" | xmlkv title | table title

I get many blank rows. The data does not have any elements.

Using | fields title instead of | table title does not give any empty data as far as I can tell.

Thanks

0 Karma
Reply
Highlighted

Re: Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

sk314
Builder
‎08-08-2014 10:47 AM

Instead of rex, you could add the following entry to your props.conf file under "schedule" sourcetype:
kv_mode = xml

0 Karma
Reply
Highlighted

Re: Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

somesoni2
SplunkTrust
SplunkTrust
‎08-08-2014 12:37 PM

Just try this

sourcetype="schedule" | xmlkv | table title

OR 

sourcetype="schedule"|  rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title
0 Karma
Reply
Highlighted

Re: Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

andyhine
New Member
‎08-08-2014 08:24 PM

Thanks

Trying

sourcetype="schedule" | xmlkv | table title

and

sourcetype="schedule"| rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title

I get a blank table of results but clicking to sort by title get other results.

How can I filter out all these blank rows (and where are they coming from!?)

0 Karma
Reply
Highlighted

Re: Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

sk314
Builder
‎08-11-2014 05:07 PM

It could be that there are events without the xml entries. You could try piping this to remove null values.

|search title!=NULL | table title

0 Karma
Reply
Highlighted

Re: Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

andyhine
New Member
‎08-08-2014 08:32 PM

Thanks that didn't seem to make any difference to my blank rows.

0 Karma
Reply
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.