Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

XML Extraction with multi values

Hazel
Communicator
‎11-24-2010 02:44 PM

Hello

I am looking for a way to extract my values from an xml file, so it seems that using xmlkv would be my best approach, however the names in the xml have spaces in so the xmlkv isn't coping with this.

E.g

<machines>  
    <machine name="a" port="1" active="true">  
        <value>  
            <replace>Example</replace>  
            <cfg>  
                <server name>URL1</serverUrl>  
                <serverUsername>Username1</serverUsername>  
                <server name>URL2</serverUrl>  
                <serverUsername>Username2</serverUsername>  
            </cfg>  
        </value>  
    </machine>  
<machine>

So if I run this through xmlkv, it will pick up "name" as a, reading machine name. It will then completely ignore server name as it also classes this as name.

Is there any way around this? Or another approach that is better?

I am trying to end up with a report that would tell me, machine name and then all the server names associated with it (and similarly for other properties in the file)

Thanks!

Hazel

Tags (1)
0 Karma
Reply

eashwar
Communicator
‎02-07-2013 09:45 AM

have you tried using spath command

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Spath

all the best, and happy Splunking!!

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎11-24-2010 10:49 PM

Technically this is not valid XML. XML parsers will not see a "server name" tag here, they'll instead see a 'server' tag. And when they get to the "name" they will throw an exception because it thinks its an attribute but there is no value and you cant have attributes with no values in XML.

also note that the <replace>Example<replace/> is malformed due to the misplaced slash char.

Also for it to be well-formed XML you need quotes around the two attributes -- the "a" and the "1"

However even if you fixed those problems, it's quite likely that xmlkv wont do everything that you need. For instance the relationship between server1 and URL1 will not be preserved in any way. If your XML really looks like this and cannot be changed I'd recommend a scripted input. Unfortunately of course you wont be able to use an off-the-shelf XML parser because they'll just hit the above problems.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-30-2010 05:30 AM

Also, the XML isn't valid because <server name> doesn't match up against </serverUrl>, and as nick says, the opening tag by XML is <server> with an attribute name with no value. You could try just using regex parsing, or you can write your own script to parse this data, using xmlkv script as a model (it's just a wrapper around a standard library).

0 Karma
Reply

Hazel
Communicator
‎11-25-2010 10:05 AM

Hello. Thanks for your reply. Firstly - the replace and a/1 issues, this was my fault... i was just making up an xml similar to ours to give an example. These are correct in the real file. I've now fixed it above. Is there anything you would recommend now if xmlkv isn't the right thing?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...