Gloria Santin
Reputation: 2136
Create regular expression using the rex command in Splunk to return xml child elements
I am trying to use the Splunk command rex which uses regular expressions to extract data from a log statement. This is the part of the xml of interest:
<tmsTrip xmlns="removed_for_security" xmlns:ns2="removed_for_security">
<recordType>PURCHASEDLINEHAUL</recordType>
<eventType>DISPATCH</eventType>
<updatedDateGMT>2020-05-21T17:22:55.000Z</updatedDateGMT>
<origin>
<ns2:numberCode>923</ns2:numberCode>
<ns2:numberType>2</ns2:numberType>
</origin>
<destination>
<ns2:numberCode>72</ns2:numberCode>
<ns2:numberType>2</ns2:numberType>
</destination>
I need the numberCode from the origin and destination. This rex returns the first one, 923.
rex field=_raw "\<ns2\:numberCode\>(?P<origin>[^\<]+)"
I need a rex to return the second one, 72.
Upvotes: 0
Views: 632
Answers (1)
RichG
Reputation: 9926
You can tell rex to return both of them using the max_match option.
| rex max_match=0 "\<ns2\:numberCode\>(?P<origin>[^\<]+)"
| eval originCode = mvindex(origin, 0), destCode = mvindex(origin, 1)
Unfortunately, there's no way to know the order of the matches so this fails if destination precedes origin in the XML.
You should be able to use spath to extract the entire XML and refer to "origin.numberCode" and "destination.numberCode", but I don't have enough experience with that command to offer much guidance.
Upvotes: 2
Related Questions
- Multiple Rex Expressions
- Extracting multi values with regex ( Only values, Not Fieldname )
- Using Splunk rex to extract String from logs
- Splunk rex extract field, I am close but just cant get it matching
- Regex XML with group name and including tags
- Need a regex command to find a value in an xml file
- Splunk: how to extract fields using regular expressions? like rex in splunk search
- RegEx in Splunk Search
- dumping XML log files into Splunk
- A regex with Splunk