XML within a JSON: How parse a raw event?

GRamani123 · ‎06-02-2019

I'm trying to parse a amount value from a raw event. The event is in JSON format and one of the key value in this JSON is an xml. the field that I'm trying to parse is one of the xml tag value.
ex: event is

{"field1":"value1","field2":"value2", "field3":{"message:"

GRamani123 · ‎06-02-2019

I was able to parse it by fetching xml via spath then using eval _raw=xml_field | xmlkv | table amount

aromanauskas · ‎06-02-2019

_json is a built in sourcetype which should automatically parse this event. If you are setting this to a different sourcetype then it will not parse though. Suggest you first try: | spath as this should force the json to be parsed.

GRamani123 · ‎06-02-2019

I was able to parse the json via SPATH command and I fetched the XML in a new field. For Ex :command - Spath output=xml_field path=field3.message | table xml_field

aromanauskas · ‎06-03-2019

If you are still having an issue please post the query and example output.

GRamani123 · ‎06-02-2019

I'm not sure what is an issue but I complete comment is getting posted.

GRamani123 · ‎06-02-2019

I was able to parse the xml from the event but I'm unable to fetch the value of amount from this xml. I have tried both spath and xpath.

GRamani123 · ‎06-02-2019

{"field1":"value1","field2":"value2", "field3":{"message:"

XML within a JSON: How parse a raw event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!