
xmlkv
Description
The xmlkv
command automatically extracts key-value pairs from XML-formatted data.
For JSON-formatted data, use the spath
command.
Syntax
The required syntax is in bold.
- xmlkv
- [<field>]
- maxinputs=<int>
Required arguments
None.
Optional arguments
- field
- Syntax: <field>
- Description: The field from which to extract the key and value pairs.
- Default: The
_raw
field.
- maxinputs
- Syntax: maxinputs=<int>
- Description: The maximum number of events or search results to use as inputs into the
xmlkv
command. - Default: 50000
Usage
The xmlkv
command is a distributable streaming command. See Command types.
Keys and values in XML elements
From the following XML, name
is the key and Settlers of Catan
is the value in the first element.
<game> <name>Settlers of Catan</name> <category>competitive</category> </game> <game> <name>Ticket to Ride</name> <category>competitive</category> </game>
Examples
1. Automatically extract key-value pairs
Extract key-value pairs from XML tags in the _raw
field. Processes a maximum of 50000 events.
... | xmlkv
2. Extract a specific number of key-value pairs
Extract the key-value pairs from the first ten thousand events.
... | xmlkv maxinputs=10000
See also
PREVIOUS x11 |
NEXT xmlunescape |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.9, 7.0.10, 6.5.3, 7.0.4, 7.0.6, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 7.0.3, 7.0.5, 7.0.7, 7.0.8
Feedback submitted, thanks!