Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with the following value extraction of XML data?

moorvogi
Path Finder
‎11-13-2018 06:36 AM

I want to say there's a "simple" way to sets of data from XML. For example: in the XML below, i want two records/events.. such as.

identity_id        transaction_code            sname      dogname
3017669              SEL                        BARC                  abc123
1037669              SEL                        TARC                  pookybear

from the data set like below.

<AllRecords>
   <DataSet xmlns="">
        <arg token="dogname" value="abc123" />
        <identity_id>3017669</identity_id>
        <instrument_id>912383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>BARC</sname>
        <currency_code>USA</currency_code>
   </DataSet> 

   <DataSet xmlns="">
        <arg token="dogname" value="pookybear" />
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>
</AllRecords>
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎11-13-2018 06:53 AM

Try this:

|spath|rename AllRecords.DataSet.* as *|rex max_match=0 "arg token=\"(?<token>\w+)\"\s*value=\"(?<value>\w+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎11-13-2018 06:53 AM

Try this:

|spath|rename AllRecords.DataSet.* as *|rex max_match=0 "arg token=\"(?<token>\w+)\"\s*value=\"(?<value>\w+)"
0 Karma
Reply
Solved! Jump to solution

moorvogi
Path Finder
‎11-13-2018 08:48 AM

sorry i forgot a field in my dataset. i also need to get "dogname" with the associated record for the row. i've updated the example above.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎11-13-2018 09:06 AM

give this a try:

|spath|rename AllRecords.DataSet.* as *|rex max_match=0 "arg token=\"(?<token>\w+)\"\s*value=\"(?<value>\w+)"
0 Karma
Reply
Solved! Jump to solution

moorvogi
Path Finder
‎11-13-2018 09:12 AM

PERFECT! The winner is "rex". That's where i need to spend more time reading apparently. Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

moorvogi
Path Finder
‎11-13-2018 09:13 AM

how do i accept the updated answer? or should i just accept your first one? repost as another commet and i'll accept that one.. if you want.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎11-13-2018 09:36 AM

i have updated the answer ..please accept the answer and upvote the comment which helped

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...