- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to Fetch key/value pair from webservice reques...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to Fetch key/value pair from webservice request?
Hi I need to fetch key/value pair values from below request.. please help
like for Name key should return Siri
for USER_ROLE return BUS
Request passing as below:
<entry>
<key>Name</key>
<value>Siri</value>
</entry>
<entry>
<key>U_ROLE</key>
<value>BUS</value>
</entry>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sachinlohchab, based on the sample data provided, try the following run anywhere search. If you have JSON data, KV_MODE=json should be set in props.conf for your sourcetype for automatic search time field extraction. In anycase you can use the commands from | spath onward for your current base search.
| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| spath
| eval data=mvzip('entry.key','entry.value')
| fields - entry.*
| mvexpand data
| eval data=split(data,",")
| eval key=mvindex(data,0), value=mvindex(data,1)
| fields - data _raw _time
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not proud of this search, but it does work:
| makeresults
| eval _raw="<entry><key>Name</key><value>Siri</value></entry><entry><key>U_ROLE</key><value>BUS</value></entry>"
| xpath outfield=value "//entry/value"
| eval value=mvjoin(value, ",")
| xpath outfield=key "//entry[value]/key"
| makemv delim="," value
| eval key_value=mvzip(key, value)
| fields key_value
| mvexpand key_value
| rex field=key_value "(?<key>[^,]+),(?<value>.*)"
The mvjoin and makemv lines are there because, for some reason, calling xpath a second time results in the first multivalue field it produced being squashed into a single, space-delimited value instead.
Perhaps someone will come along and show the proper way to do this. I've never used it before.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Written below regex to fetch the value I need...works for me..
rex field=_raw "USR_ROLE<\/key>$\n[ ](?.|)<\/value>$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you looked at the xpath command?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give me the command to fetch per my request. I am new to splunk
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
Everything Community at .conf24!
Index This | I’m short for "configuration file.” What am I?
