Hello,
I'm trying to extract information from a XML files. The file repeats the following pattern for each IP address.
<IP value="10.10.10.10" name="toto">
<INFOS>
<INFO number="6" severity="1">
<TITLE>test1]></TITLE>
<LAST_UPDATE><![CDATA[1999-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
<INFO number="456" severity="12">
<TITLE>test2</TITLE>
<LAST_UPDATE><![CDATA[2010-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
<INFO number="1234" severity="1">
<TITLE>test3</TITLE>
<LAST_UPDATE><![CDATA[2012-01-01T08:00:00Z]]></LAST_UPDATE>
</INFO>
</INFOS>
</IP>
In the props.conf files, I've added the parameter: KV_mode = xml . So I have the following multivalue fields:
IP.INFOS.INFO{@number}
6
456
1234
IP.INFOS.INFO{@severity}
1
12
1
IP.INFOS.INFO.LAST_UPDATE
1999-01-01T08:00:00Z
2010-01-01T08:00:00Z
2012-01-01T08:00:00Z
I would like to separate the fields in order to have those events:
10.10.10.10 | 6 | 1 | 1999-01-01T08:00:00Z
10.10.10.10 | 456 | 12 | 2010-01-01T08:00:00Z
10.10.10.10 | 1234 | 1 | 2012-01-01T08:00:00Z
I tried to use mvexpand , mvzip , spath , etc.. But I did not succeed.
Is there a way to do it ?
Best regards,
Corentin
... View more