Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parse XML data into fields while indexing

varshini_97
Path Finder
‎01-24-2024 07:19 AM

Sample data:

<?xml version="1.0" encoding="UTF-8" ?>
<Results xmlns:xsi="http://www.w3.org">
<Result>
<Code>OK</Code>
<Details>LoadMessageOverviewData</Details>
<Text>Successful</Text>
</Result>
<Data>
<ColumnNames>
<Column>Sender&#x20;Component</Column>
<Column>Receiver&#x20;Component</Column>
<Column>Interface</Column>
<Column>System&#x20;Error</Column>
<Column>Waiting</Column>
</ColumnNames>
<DataRows>
<Row>
<Entry>XYZ</Entry>
<Entry>ABC</Entry>
<Entry>Mobile</Entry>
<Entry>-</Entry>
<Entry>3</Entry>
</Row>
</DataRows>
</Data>
</Results>

Hello,

I need to extract fields from the above xml data.

I have tried the below props, but still the data is not extracting properly.

Props.conf

CHARSET=UTF-8

BREAK_ONLY_BEFORE = <\/Row>

MUST_BREAK_AFTER = <Row>

SHOULD_LINEMERGE  = true

KV_MODE = xml

pulldown_type = true

DATETIME_CONFIG = CURRENT

NO_BINARY_CHECK=true

TRUNCATE=0

description=describing props config

disabled=false

How to parse the data.?

Thanks in advance

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-25-2024 04:47 AM

1. Please post your data/code samples in a pre-formatted way (using either the "preformatted" style or the code sample control in the editor. It makes the sample easier to read.

2. It's not clear what you want to get from this data.

3. Unless you have a very good reason and a strong use case, you should not parse data _into fields_ while indexing (in other words - create indexed fields). Most parsing in Splunk is done in search time.

4. Unless you have a very very good reason (even better one than the one for the indexed fields) you should not use SHOULD_LINEMERGE=true. It gives you a huge performance hit.

0 Karma
Reply

varshini_97
Path Finder
‎01-29-2024 05:44 AM

 

<?xml version="1.0" encoding="UTF-8" ?>
<Results xmlns:xsi="http://www.w3.org">
    <Result>
        <Code>OK</Code>
        <Details>LoadMessageOverviewData</Details>
        <Text>Successfull</Text>
    </Result>
    <Data>
        <ColumnNames>
            <Column>Sender&#x20;Component</Column>
            <Column>Receiver&#x20;Component</Column>
            <Column>Interface</Column>
            <Column>System&#x20;Error</Column>
            <Column>Waiting</Column>
        </ColumnNames>
        <DataRows>
            <Row>
                <Entry>XYZ</Entry>
                <Entry>ABC</Entry>
                <Entry>Mobile</Entry>
                <Entry>-</Entry>
                <Entry>3</Entry>
            </Row>
        </DataRows>
    </Data>
</MessageStatisticsQueryResults>

Hi @PickleRick ,

 

Above is my xml data,

My expected parsed data are below

Field NameField Value
Sender ComponentXYZ
Receiver ComponentABC
InterfaceMobile
System Error-
Waiting3
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-29-2024 07:32 AM

Argh. This is a case of a very badly prepared data. And without external manipulation you won't get it into Splunk (or parse it after ingestion). The <Data> part of your data is so ugly organized - there is no explicit relationship between the <ColumnNames> and <DataRows>. Whoever thought about preparing data in this format did it very very wrong. Even if you were to manipulate it with a solution different than Splunk you'd have a hard time to compose those associations between column names and their values because of the need to externally keep the order of those values.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-25-2024 02:25 AM

Hi

Your example picks those <Entry> lines to one event and the rests are separate events. So basically this is working, but output is not something what you are expecting? How you would like to divide this to separate events? Can you also add some more events/rows or are events always like this?

r. Ismo

0 Karma
Reply

varshini_97
Path Finder
‎01-29-2024 05:49 AM

Hi @isoutamo ,

Yes, I can see the Entry data in a separate event, but there are no fields parsed through this.

I need fields and values to be parsed like the below table.

Field NameField Value
Sender ComponentXYZ
Receiver ComponentABC
InterfaceMobile
System Error-
Waiting3
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...