Is this possible in Splunk?
I have a log event with XML format. One of the XML nodes has more than one attribute. Example:
My xpath expression to get all the attributes will be:
| xpath "//Boolean_Filters/@*"
but I am unable to get the value of all the attributes. How can I do it with Splunk?
I can get the value one by one example:
| xpath "//Boolean_Filters/@linear" outfield=linear.
Thanks.
Splunk can do it without any problem.
In my case, Splunk was failing because my events were mal-form XML instances. As a result, I could not aggregate the result set with the stats function after the result set. Like for example:
| xpath "//Boolean_Filters/@* outfield="values"|stats count by values
so I used this work-around:
| xpath "//Boolean_Filters/@* outfield="values"|table linear non_linear offset
Or this one:
| xpath "//Boolean_Filters/@* outfield="values"|
stats sum(eval(if(linear="true",1,0))) as Linear_Count
sum(eval(if(non_linear="true",1,0))) as non_linear_Count
sum(eval(if(offset="true",1,0))) as offset_Count
Cheers,
Lp
Thanks,
Lp
Thanks,
Lp