Why am I getting blank rows extracting a multi lin...

andyhine · ‎08-08-2014

I am trying to extract a multi line XML file with many
<title>blah</title> elements.

Using
sourcetype="schedule" | rex field=_raw "\<title\>(?<title>.*?)\</title\>" | table title
or
sourcetype="schedule" | xmlkv title | table title

I get many blank rows. The data does not have any elements.

Using | fields title instead of | table title does not give any empty data as far as I can tell.

Thanks

andyhine · ‎08-08-2014

Thanks that didn't seem to make any difference to my blank rows.

somesoni2 · ‎08-08-2014

Just try this

sourcetype="schedule" | xmlkv | table title

OR 

sourcetype="schedule"|  rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title

sk314 · ‎08-11-2014

It could be that there are events without the xml entries. You could try piping this to remove null values.

|search title!=NULL | table title

andyhine · ‎08-08-2014

Thanks

Trying

sourcetype="schedule" | xmlkv | table title

and

sourcetype="schedule"| rex field=_raw "\<title\>(?<title>(.*(\n)*)*)\</title\>" | table title

I get a blank table of results but clicking to sort by title get other results.

How can I filter out all these blank rows (and where are they coming from!?)

sk314 · ‎08-08-2014

Instead of rex, you could add the following entry to your props.conf file under "schedule" sourcetype:
kv_mode = xml

Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Why am I getting blank rows extracting a multi line XML file with xmlkv and regex?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>