topic Re: Clarification on xmlkv command in Splunk Search

Clarification on xmlkv command

Jananee_iNautix — Fri, 23 May 2014 13:09:25 GMT

Hi,

I have a set of logs in xml format.Since the logs are xml formatted xmlkv command was used .As per the property of the log,the command creates fields as key value pairs from the logs.For example "Sw:Logicalname" is the field that splunk extracted based on the xmlkv command.When I wanted to perform maniputlations on that field using "eval" command,the following error was displayed
⚠ Error in 'eval' command: The operator at ':LogicalName' is invalid.

Can someone resolve this or suggest anyother idea to handle this

Re: Clarification on xmlkv command

somesoni2 — Fri, 23 May 2014 13:30:02 GMT

Try this.

| stats count | eval _raw="<sw:Test><sw:Name>FirstName</sw:Name><sw:ID>123</sw:ID></sw:Test>" | xmlkv | eval "sw:Name"='sw:Name'+" LastName"

basically, use the fieldname within double qoutes on left side of the "=" (when referring to field) and use fieldname within single quotes on right side of "=" (when referring to value)

Re: Clarification on xmlkv command

MuS — Fri, 23 May 2014 13:36:52 GMT

Hi Jananee_iNautix,

this is no problem of the xmlkv command, but a problem of your field name. Take this run everywhere command as example:

index=_internal earliest=-1m | head 1 | eval Foo:boo="my foo" | eval myFoo='Foo:boo' | table Foo:boo myFoo

this will work because I quoted the field name 'Foo:boo' and Splunk will no longer interpret the : as operator. Where as

index=_internal earliest=-1m | head 1 | eval Foo:boo="my foo" | eval myFoo=Foo:boo | table Foo:boo myFoo

will bring your error.

cheers, MuS

Re: Clarification on xmlkv command

MuS — Fri, 23 May 2014 13:38:05 GMT

HeHe, I was typing for too long 😉