https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569480#M198489 <P>What do you get without the last table line?</P> Sun, 03 Oct 2021 16:51:24 GMT ITWhisperer 2021-10-03T16:51:24Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569473#M198483 <P>Hi</P><P>i have xml file like this, how can i table it with xpath or spath?</P><P>&nbsp;</P><P>&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;<BR />&lt;info xmlns:xsi="<A href="http://www.w3.org/2001/XMLSchema-instance" target="_blank" rel="noopener">http://www.w3.org/2001/XMLSchema-instance</A>"&gt;<BR />&lt;error-codes&gt;<BR />&lt;error-code code="000" message="Exceeded" severity="1" InfoCode="0000" action="" description=""/&gt;<BR />&lt;error-code code="001" message="Not Found" severity="1" InfoCode="0000" action="" description=" nope"/&gt;<BR />&lt;/error-codes&gt;</P><P>&lt;/info&gt;</P><P>&nbsp;</P><P>&nbsp;</P><P>excpected output:</P><P>....&nbsp; | table&nbsp;code&nbsp;message&nbsp;severity&nbsp;InfoCode&nbsp;&nbsp;action&nbsp;description</P> Sun, 03 Oct 2021 10:21:16 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569473#M198483 indeed_2000 2021-10-03T10:21:16Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569475#M198484 <P>Firstly split error-codes into separate events, then extract all the field attributes, then create new fields based on the attribute name</P><LI-CODE lang="markup">| makeresults | eval _raw="&lt;?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?&gt; &lt;info xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"&gt; &lt;error-codes&gt; &lt;error-code code=\"000\" message=\"Exceeded\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\"\"/&gt; &lt;error-code code=\"001\" message=\"Not Found\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\" nope\"/&gt; &lt;/error-codes&gt; &lt;/info&gt;" | spath path="info.error-codes" output=errorcodes | eval _raw=errorcodes | multikv noheader=t | table _raw | spath | foreach "error-code{@*}" [| eval _name="&lt;&lt;MATCHSEG1&gt;&gt;" | eval {_name}='&lt;&lt;FIELD&gt;&gt;'] | rename error-code* as _error-code* | table code message severity InfoCode action description</LI-CODE> Sun, 03 Oct 2021 11:44:29 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569475#M198484 ITWhisperer 2021-10-03T11:44:29Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569477#M198486 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;Thank you for answer</P><P>i can see it successfuly extract fields from xml file, when i run this spl&nbsp; ....| table _raw</P><P>but no result when I run this&nbsp;&nbsp; ....|&nbsp; table code message severity InfoCode action description</P><P>here is the full spl</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index="my-index" source="/home/file.xml" | spath path="info.error-codes" output=errorcodes | eval _raw=errorcodes | multikv noheader=t | table _raw | spath | foreach "error-code{@*}" [| eval _name="&lt;&lt;MATCHSEG1&gt;&gt;" | eval {_name}='&lt;&lt;FIELD&gt;&gt;'] | rename error-code* as _error-code* | table code message severity InfoCode action description</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><DIV class="lia-panel lia-panel-standard MessageTagsTaplet Chrome lia-component-message-view-widget-tags"><DIV class="lia-decoration-border"><DIV class="lia-decoration-border-top"><DIV>any idea?</DIV><DIV>Thanks</DIV></DIV></DIV></DIV> Sun, 03 Oct 2021 15:28:59 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569477#M198486 indeed_2000 2021-10-03T15:28:59Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569478#M198487 <P>You haven't got a closing double quote around your index name?</P> Sun, 03 Oct 2021 14:55:49 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569478#M198487 ITWhisperer 2021-10-03T14:55:49Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569479#M198488 <P>when i copy here accidentally removed, corect spl have double quotes.</P><P>I modify last reply.</P><P>any other idea?</P><P>&nbsp;</P> Sun, 03 Oct 2021 15:29:58 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569479#M198488 indeed_2000 2021-10-03T15:29:58Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569480#M198489 <P>What do you get without the last table line?</P> Sun, 03 Oct 2021 16:51:24 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569480#M198489 ITWhisperer 2021-10-03T16:51:24Z https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569487#M198491 <P>after some workaround it work,I try to remove file and add with custom source type. finally table return result.</P><P>Thanks,</P> Sun, 03 Oct 2021 20:50:19 GMT https://community.splunk.com/t5/Splunk-Search/spath-vs-xpath-parse-xml/m-p/569487#M198491 indeed_2000 2021-10-03T20:50:19Z