- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create the Regular Expression for the x...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create the Regular Expression for the xml
Hi Team,
I have XML in the format present below and i am trying to use field transformation and field extraction in order to extract the field in people format.
Could you please help me in creating regular expression for this xml
<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>
I would like to have a single regular expression which i can use to extract all the field values and field name.
I tried to use below
- \<\w?\w?\d?\:([^\>]+)\>([^\<]+)\<\/
But its not capturing the last one Argus
So i would like to know if it can be possible if yes then what would be the expression.
Many Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not use spath (you can certainly go with @richgalloway's answer)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Richgalloway's
I am not sure how to use spath.
If you help me in understanding the syntax and usage it would be helpfull.
Many Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are going to LOVE this. Just add this to the end of your existing search and freak out:
| spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi wood,
I still cannot see the fields getting extracted 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this and then figure out what is what is wonky in your search (by default it works from the _raw field)
| makeresults
| eval _raw="<ns4:includeme>false</ns4:includeme>
<m:houseref>21</m:houseref>
<m1:security>***</m1:security>
<Name>Argus</Name>"
| spath
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex string was very close. The colon is optional so I put a question mark after it in the regex. This worked for me on regex101.com with your sample data.
\<\w?\w?\d?\:?([^\>]+)\>([^\<]+)\<\/
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for coming back to me.
<Na**me**>Argus</Name>
Then it is only capturing me part from Name and i want full Name to be rexed out.
Many Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@m7787580, any reason you are not using spath or xpath command?
| makeresults | eval message= "Happy Splunking!!!"
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
Modern way of developing distributed application using OTel
