https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91534#M23580 <P>According to the <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Xpath" rel="nofollow">documentation for the xpath comman</A>d, you should be able to use it on your field as such:</P> <PRE><CODE>your search | xpath field=your_field "//blah/node" </CODE></PRE> Fri, 03 Dec 2010 04:13:26 GMT ftk 2010-12-03T04:13:26Z https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91531#M23577 <P>Hello, So xpath feature is great, but I have this issue. We deal with XML messaging from our customers and would like to extract some field data using xpath queries to run stats. I was able to create a field extraction that will pull out xml message, but I can't figure out how to tell Splunk to perform the xpath query on an extracted field. </P> <P>Here's what a sample event looks like this: </P> <PRE><CODE>20101117 161059.999 DEBUG[D] clpr ZZZ:[PROD ZZZ|FIXML3-ReaderThread-105] :CMBSource ZZZ|FIXML3, Underlying Source=[WeblogicJmsSource PROD_XXXX_JMSServer/PROD_XXX!ZZZ_FIXML_IN, TxMode=2] read MessageID 5540635964843910837 --&gt; DESTINATION_NAME= SOURCE_NAME=FIXML3 CORRELATION_ID=5540644259047556424 JMSXDeliveryCount=1 Payload(String)=&lt;?xml version="1.0" encoding="UTF-8"?&gt;&lt;FIXML&gt;&lt;AllocRptAck MsgEvtSrc="MQM" TxnTm="2010-11-17T16:10:59-06:00" InptDev="API" RptTyp="9" RptID="2" ID="123456" TransTyp="0" TrdDt="2010-11-17"&gt;&lt;Hdr Snt="2010-11-17T16:10:59-06:00"/&gt;&lt;Pty ID="CBT" R="22"&gt;&lt;/Pty&gt;&lt;/AllocAck&gt;&lt;/AllocRptAck&gt;&lt;/FIXML&gt; </CODE></PRE> <P>I created a field extraction that takes everything between the two FIXML tags and creates a field, but cannot figure out how to execute xpath queries on this in Splunk. It is a valid XML but how do I tell splunk to just use that field I've identified so that I can use xpath. Note: xmlkv won't work for this because of the nature of the messages as seen above. </P> <P>Thanks! -Mike </P> Thu, 18 Nov 2010 07:18:12 GMT https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91531#M23577 Mikey_C 2010-11-18T07:18:12Z https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91532#M23578 <P>I tried to work with XML and xpath but so far without full success. I started to create my own function for it but it's very far to be finished. But this is probably because I'm haven't used the product for a long time. Have you tried to use rex? For instance, rex (?.*) or something similar to extract what you need. Hope that helps.</P> Thu, 18 Nov 2010 15:47:57 GMT https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91532#M23578 OL 2010-11-18T15:47:57Z https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91533#M23579 <P>I know I could write a regular expression to get the field out of the XML, but it would be nice to use xpath queries so I could after different types of data.</P> Fri, 19 Nov 2010 01:01:28 GMT https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91533#M23579 Mikey_C 2010-11-19T01:01:28Z https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91534#M23580 <P>According to the <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Xpath" rel="nofollow">documentation for the xpath comman</A>d, you should be able to use it on your field as such:</P> <PRE><CODE>your search | xpath field=your_field "//blah/node" </CODE></PRE> Fri, 03 Dec 2010 04:13:26 GMT https://community.splunk.com/t5/Splunk-Search/Using-xpath-queries-on-events-that-contain-text-and-xml/m-p/91534#M23580 ftk 2010-12-03T04:13:26Z