Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

XML and JSON Data Types

shangshin
Builder
‎04-26-2012 11:39 AM

Hi, I would like to use Splunk to parse xml and json data files and trigger the alert if the element "checked" is false. I would appreciate if you can provide an example on how to set up the field extractors for these 2 data type. Thank You!

[{
"text": "Products",
"cls": "folder",
"expanded": true,
"children": [{
"text": "iPad",
"leaf": true,
"checked": true 

},{
    "text": "iPhone",
    "leaf": true,
    "checked": false       
},{
    "text": "iPod",
    "leaf": true,
    "checked": true      
}
]

}]

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎04-26-2012 11:41 AM

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

View solution in original post

Reply
Solved! Jump to solution
Solution

sdaniels
Splunk Employee
Splunk Employee
‎04-26-2012 11:41 AM

Examples here using the spath command.

http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Spath

When you add an output it creates that field so you have the extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

Reply
Solved! Jump to solution

shangshin
Builder
‎05-01-2012 12:29 PM

Thanks a lot for the great support!

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎05-01-2012 08:06 AM

I don't have a web server to put up a screenshot, and you can't just paste them in here as far as i can tell. Email me and I can send it to you.

Reply
Solved! Jump to solution

shangshin
Builder
‎05-01-2012 07:06 AM

Hi, thanks for the reply.
I entered the search string below but didn't find the result as a new field "myloc". I also clicked on the link "View all 14 fields" but still no luck.
sourcetype="sample_xml" | spath output=myloc path=vendorproductset.product.desc.locdesc{1}{@locale}

Can you upload a screenshot if possible?

Basically, we would like to use splunk to monitor a dynamic xml file and trigger the alert if the element value matches.

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎04-30-2012 03:54 PM

Hey shangshin...sorry for the delay. I didn't realize you were working on the test xml data. If you add an output, it will add your result as a new field. You'll see the field added in the bottom left under field discovery. That's the value you can now use. The whole event comes back since you matched it in your search. Now you can | to a new command with the ability to use your extracted value.

| spath output=myloc path=vendorproductset.product.desc.locdesc{4}{@locale}

Reply
Solved! Jump to solution

shangshin
Builder
‎04-26-2012 01:26 PM

I am following the example to add the sample xml "vendorProductSet" as the new search data.
However, when I entered the string string
sourcetype="sample_xml" | spath path=vendorProductSet.product.desc.locDesc{4}{@locale}
I didn't not see it extracts the attribute of the 4th locDesc (ca)
Instead, I got the whole xml returned from search result.

Am I missing anything?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...