Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 7.1 will no longer be supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

xmlkv

Description

The xmlkv command automatically extracts key-value pairs from XML-formatted data.

For JSON-formatted data, use the spath command.

Syntax

The required syntax is in bold.

xmlkv
[<field>]
maxinputs=<int>

Required arguments

None.

Optional arguments

field
Syntax: <field>
Description: The field from which to extract the key and value pairs.
Default: The _raw field.
maxinputs
Syntax: maxinputs=<int>
Description: The maximum number of events or search results to use as inputs into the xmlkv command.
Default: 50000

Usage

The xmlkv command is a distributable streaming command. See Command types.

Keys and values in XML elements

From the following XML, name is the key and Settlers of Catan is the value in the first element. 

<game>
   <name>Settlers of Catan</name>
   <category>competitive</category>
</game>
<game>
   <name>Ticket to Ride</name>
   <category>competitive</category>
</game>

Examples

1. Automatically extract key-value pairs

Extract key-value pairs from XML tags in the _raw field. Processes a maximum of 50000 events.

... | xmlkv

2. Extract a specific number of key-value pairs

Extract the key-value pairs from the first ten thousand events.

... | xmlkv maxinputs=10000

See also

Commands
extract
kvform
multikv
rex
spath
xpath
Last modified on 28 July, 2020
PREVIOUS
x11 		  NEXT
xmlunescape

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0, 7.0.10, 7.0.13, 7.0.3, 7.0.4

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters