Dashboards & Visualizations

How to extract data from xml



I want to extract data from the following xml ima using the xpath query to extract the data
but its not able to fetch the data available in below tag please help

<data Name="ill" field="u">uuuu</data>
<data Name="jkl" field="op">898989</data>

I want to fetch 898989 from the following xml.

|xmlkv | xpath "//ev/reg/orig" outfield=data | table _time,name,data

iam able to extract value of name but not from other two tag.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

enter code hereUse KV_MODE = XML in props.conf


Check out the spath command.

| spath


The spath command--the "s" stands for Splunk (or structured) -- provides a straightforward means for extracting information from structured data formats, XML and JSON. It also highlights the syntax in the displayed events list.


KV_MODE = [none|auto|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
        * none: if you want no field/value extraction to take place.
        * auto: extracts field/value pairs separated by equal signs.
        * multi: invokes the multikv search command to expand a tabular event into multiple events.
    * xml : automatically extracts fields from XML data.
    * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not overridden by
  automatic field/value extraction for a particular host, source, or source type, and also
  increases search performance.
* Defaults to auto.
* The 'xml' and 'json' modes will not extract any fields when used on data that isn't of the correct format (JSON or XML).


This may be outside of xmlkv's abilities. It is not based on a generalized XML parser and works best on schemas that are more like:


If your schema is decently simple, you might be able to do this yourself with a rule in transforms.conf similar to this:

REGEX = <data Name="([^"]+)"[^>]+>([^<]+)</data>
FORMAT = $1::$2

But this makes some fairly specific assumptions about the organization of your XML schema. This is also not a true XML parsing operation, but simple pattern matching on the text.

0 Karma