topic Re: XML field extraction with spath in Splunk Search

XML field extraction with spath

4uramana4u — Fri, 15 Jan 2021 07:44:33 GMT

eval FunctionalRef=spath(_raw,"n2:EvtMsg.Bd.BOEvt.Evt.DatElGrp{2}.DatEl.Val") -> I am getting two(2) values DHL5466256965140262WH3, DE4608089.

Instead I should get only DHL5466256965140262WH3. So this value is not static

XML Snippet:

<DatElGrp Cd="CommonGrp">
<DatEl>
<Cd>FunctionalRef</Cd>
<Val>DHL5466256965140262WH3</Val>
</DatEl>
<DatEl>
<Cd>DeclarantID</Cd>
<Val>DE4608089</Val>
</DatEl>
</DatElGrp>

Re: XML field extraction with spath

to4kawa — Fri, 15 Jan 2021 12:44:45 GMT

index=_internal | head 1 | fields _raw | eval _raw="<DatElGrp Cd=\"CommonGrp\"> <DatEl> <Cd>FunctionalRef</Cd> <Val>DHL5466256965140262WH3</Val> </DatEl> <DatEl> <Cd>DeclarantID</Cd> <Val>DE4608089</Val> </DatEl> </DatElGrp>" | spath | rename DatElGrp{@Cd} as GrpCd, DatElGrp.* as * | foreach DatEl.* [ eval <<FIELD>> = mvindex('<<FIELD>>' , 0)]

Re: XML field extraction with spath

to4kawa — Fri, 15 Jan 2021 13:27:07 GMT

Re: XML field extraction with spath

4uramana4u — Fri, 15 Jan 2021 14:21:42 GMT

Excellent! Thank you so much!