Parse XML With Multiple Inner Elements

Handle repeated XML elements using the parseXml() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result
logscale
parseXml()

Introduction

The parseXml() function can be used to parse XML content and extract values from XML elements. When dealing with multiple identical elements at the same level, it automatically creates both a single field containing the first value and an array of all values that can be accessed using array notation.

In this example, the parseXml() function is used to parse XML data containing multiple instances of the same element name, demonstrating how both single and array-indexed fields are created.

Example incoming data might look like this:

@rawstring
<outer><inner>1</inner><inner>2</inner><inner>3</inner></outer>

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    parseXml()

    Parses the XML content from the @rawstring field and creates multiple fields:

    outer.inner - contains the value of the first inner element (1).

    outer.inner[0], outer.inner[1], and outer.inner[2] - contain all values as an array (1, 2, 3).

    When no field parameter is specified, parseXml() uses the @rawstring field by default.

  3. Event Result set.

Summary and Results

The query is used to parse XML data containing multiple instances of the same element and create an indexed array of values.

This query is useful, for example, to process XML logs containing repeated elements such as multiple error messages, list items, or configuration entries.

Sample output from the incoming example data:

outer.innerouter.inner[0]outer.inner[1]outer.inner[2]
1123

Note that outer.inner contains the same value as outer.inner[0], providing both a direct reference to the first value and array access to all values.