topic Re: Search, XPATH and XPATH namespaces in Getting Data In

Search, XPATH and XPATH namespaces

DWRoelands — Thu, 04 May 2023 13:35:31 GMT

I have an index populated with data from a Log4Net trace log. Each Splunk event in the index is a block of XML with an XML namespace:

I am trying to search these events, and I want the contents of the "Description" XML element. Does Splunk's implementation of XPATH support namespaces? This search is returning no records:

index="lmstracelogs" xpath "//E2ETraceEvent/ApplicationData/TraceData/DataItem/TraceRecord/Description"

Almost every example I've found for working with XML suggests regular expressions, which seems inelegant.

Re: Search, XPATH and XPATH namespaces

danspav — Sat, 01 Jul 2023 06:02:11 GMT

Hi @DWRoelands,

This may not be the most elegant, but to avoid regex you can use:

| xpath outfield=description "/*[name()='E2ETraceEvent' and namespace-uri()='http://schemas.microsoft.com/2004/06/E2ETraceEvent' ]/*[name()='ApplicationData']/*[name()='TraceData']/*[name()='DataItem']/*[name()='TraceRecord']/*[name()='Description']"

That creates a description field with the correct text:

It does obey the namespace, but it's not the easiest to read.

Falling back to regex, if you run a sedcmd you can strip the namespaces and use your original xpath:

| rex mode=sed "s/xmlns=\"[^\"]+\"//g" | xpath outfield=description "//E2ETraceEvent/ApplicationData/TraceData/DataItem/TraceRecord/Description"

Cheers,
Daniel

Re: Search, XPATH and XPATH namespaces

danspav — Sat, 01 Jul 2023 06:06:43 GMT

Alternatively, just run:

| spath path="E2ETraceEvent.ApplicationData.TraceData.DataItem.TraceRecord.Description" output=description

Re: Search, XPATH and XPATH namespaces

PickleRick — Sat, 01 Jul 2023 08:08:00 GMT

You can't match any events this way since you're trying to find "xpath" as a literal term included in your event.