Dashboards & Visualizations

How to extract data from xml

john
Communicator

Hi,

I want to extract data from the following xml ima using the xpath query to extract the data
but its not able to fetch the data available in below tag please help

<name>kk<name>
<data Name="ill" field="u">uuuu</data>
<data Name="jkl" field="op">898989</data>

I want to fetch 898989 from the following xml.

|xmlkv | xpath "//ev/reg/orig" outfield=data | table _time,name,data

iam able to extract value of name but not from other two tag.

Tags (1)
0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

enter code hereUse KV_MODE = XML in props.conf

or

Check out the spath command.

| spath

SPATH

The spath command--the "s" stands for Splunk (or structured) -- provides a straightforward means for extracting information from structured data formats, XML and JSON. It also highlights the syntax in the displayed events list.

KV_MODE:

KV_MODE = [none|auto|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
        * none: if you want no field/value extraction to take place.
        * auto: extracts field/value pairs separated by equal signs.
        * multi: invokes the multikv search command to expand a tabular event into multiple events.
    * xml : automatically extracts fields from XML data.
    * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not overridden by
  automatic field/value extraction for a particular host, source, or source type, and also
  increases search performance.
* Defaults to auto.
* The 'xml' and 'json' modes will not extract any fields when used on data that isn't of the correct format (JSON or XML).

dwaddle
SplunkTrust
SplunkTrust

This may be outside of xmlkv's abilities. It is not based on a generalized XML parser and works best on schemas that are more like:

<name>kk</name>
<ill>uuuu</ill>
<jkl>898989</jkl>

If your schema is decently simple, you might be able to do this yourself with a rule in transforms.conf similar to this:

[myxmltransform]
REGEX = <data Name="([^"]+)"[^>]+>([^<]+)</data>
FORMAT = $1::$2

But this makes some fairly specific assumptions about the organization of your XML schema. This is also not a true XML parsing operation, but simple pattern matching on the text.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...