|
how do i setup xml input like: <abc> <pqr id="1"> <xyz> <aa>12</aa> <bb>34</bb> </xyz> <xyz> <aa>0</aa> <bb>99</bb> </xyz> </pqr> <pqr id="2"> <xyz> <aa>4</aa> <bb>1</bb> </xyz> </pqr> </abc> Want to create a report of this form: pqr:1 aa:12 bb:34 aa:0 bb:99 pqr:2 aa:4 bb:1 Have been searching around, but very new to Splunk and seems i couldn't find many pointers to follow. |
|
That works, thank you! Now i have another problem where i want '<aa>' and '<bb>' field values to be grouped together by '<pqr>'. For example, spath path=abc.pqr{*} gives me something like 1 12(aa) 2 34(bb) 0(aa) 99(bb) 4(aa) 1(bb) But i want output like: 1 12(aa) 34(bb) 0(aa) 99(bb) 2 4(aa) 1(bb) |
|
First, if you want to pull the data into Splunk, you can treat an XML file like any other text file. However, you will probably want to tell Splunk that this is a file that contains multi-line events, and how to identify the break between events. This is a pretty good answer that describes how to set up an XML input: XML Log Sourcetype Splunk does not automatically parse XML data. In fact, you often don't need to parse in order to search. You can search for all events where the pqr id is 1 simply by putting in the search box and specifying a time range. Once you have searched for the events that you want to report, you can ask Splunk to do "field extraction" on the events using the yoursearchhere | xmlkv You can see the fields that Splunk extracted from your xml in the fields sidebar. Use them however you want, perhaps with a There is also an ADDENDUM: Just found this... There is a way to tell Splunk to automatically create fields for XML data. Edit the appropriate props.conf and add If you read the XML Log Sourcetype answer, you could put the |
