Splunk Search

how to fillnull json value pair using spath or some other command

Communicator
<notification-list xmlns="http://www......./restful/schema/response">
<added-instance preexisting="false">
<alarm id="12fffffa1">
<attribute id="0x10">abc</attribute>
<attribute id="0x11">machinename</attribute>
<attribute id="0x22"/>
/alarm>
</added-instance>

Above xml am storing as a json response in splunk and using spath to do further query.
But now the issue is if you see the last attribute the 0x22 doesn't have a value pair for the key and then the issue happens with orderly showing the table.

How to fill the value pair for that attribute with 0 value ?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi,

You could try with rex instead of spath. Something like this:

| makeresults | fields - _time
| eval myXML = "<notification-list xmlns=\"http://www......./restful/schema/response\">
 <added-instance preexisting=\"false\">
 <alarm id=\"12fffffa1\">
 <attribute id=\"0x10\">abc</attribute>
 <attribute id=\"0x11\">machinename</attribute>
 <attribute id=\"0x22\"/>
 </alarm>
 </added-instance>"
| rex field=myXML max_match=0 "(?msi)(?<attribute_line>\<attribute id\=.+?$)"
| mvexpand attribute_line
| rex field=attribute_line "id=\"(?<id>[^\"]+)\"(\/)?\>(?<attribute>[^\<]+)?"
| fillnull value=NULL attribute

Will produce something like the attached screenshot.
alt text
Hope that helps.

Regards,
J

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi,

You could try with rex instead of spath. Something like this:

| makeresults | fields - _time
| eval myXML = "<notification-list xmlns=\"http://www......./restful/schema/response\">
 <added-instance preexisting=\"false\">
 <alarm id=\"12fffffa1\">
 <attribute id=\"0x10\">abc</attribute>
 <attribute id=\"0x11\">machinename</attribute>
 <attribute id=\"0x22\"/>
 </alarm>
 </added-instance>"
| rex field=myXML max_match=0 "(?msi)(?<attribute_line>\<attribute id\=.+?$)"
| mvexpand attribute_line
| rex field=attribute_line "id=\"(?<id>[^\"]+)\"(\/)?\>(?<attribute>[^\<]+)?"
| fillnull value=NULL attribute

Will produce something like the attached screenshot.
alt text
Hope that helps.

Regards,
J

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi @surekhasplunk, did this solve your problem? If so, please do not forget to accept the answer so that we can close the question and others can benefit from it.

Thanks, J

0 Karma