xmlkv

This command is experimental

Definition

The xmlkv command gets the key-value pairs from data that is in XML format.

Syntax

| xmlkv [<column-name>] [maxinputs=<integer>]

Optional arguments

Examples

Use xmlkv command to extract XML content into separate columns. By default, xmlkv extracts from the _raw column.

index=crud_xml earliest=-5y
| xmlkv

Currently, xmlkv demands that the extracted column’s name is defined. See the issue on GitHub.

Currently, xmlkv demands that there’s value given for maxinputs argument. See the issue on GitHub.

Extract XML content from the certain column

You can define a column which you want to extract the data from. By default xmlkv command will extract from the _raw column.

| makeresults
| eval test = "<data><timestamp_epoch>1640930173</timestamp_epoch></data>"
| xmlkv test

Currently, xmlkv demands that there’s value given for maxinputs argument. See the issue on GitHub.

maxinputs

maxinputs isn’t currently supported.

You can define the maximum number of events that can be used as input for the xmlkv command.

index=crud_xml earliest=-5y
| xmlkv maxinputs=10

Currently, xmlkv demands that the extracted column’s name is defined. See the issue on GitHub.

Further Reading