Can splunk Do this? XPATH - XML Node with more tha...

lpolo · ‎01-09-2012

Is this possible in Splunk?

I have a log event with XML format. One of the XML nodes has more than one attribute. Example:

My xpath expression to get all the attributes will be:

| xpath "//Boolean_Filters/@*"

but I am unable to get the value of all the attributes. How can I do it with Splunk?

I can get the value one by one example:

| xpath "//Boolean_Filters/@linear" outfield=linear.

Thanks.

lpolo · ‎01-19-2012

Splunk can do it without any problem.
In my case, Splunk was failing because my events were mal-form XML instances. As a result, I could not aggregate the result set with the stats function after the result set. Like for example:

| xpath "//Boolean_Filters/@* outfield="values"|stats count by values

so I used this work-around:

| xpath "//Boolean_Filters/@* outfield="values"|table linear non_linear offset

Or this one:

| xpath "//Boolean_Filters/@* outfield="values"|
stats sum(eval(if(linear="true",1,0))) as Linear_Count
sum(eval(if(non_linear="true",1,0))) as non_linear_Count
sum(eval(if(offset="true",1,0))) as offset_Count

Cheers,
Lp
Thanks,
Lp

Thanks,
Lp

Can splunk Do this? XPATH - XML Node with more than one Attribute

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!