Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you search with the xpath command in an XML file?

faribole
Path Finder
‎11-23-2018 06:54 AM

I would like to extract the text of tag3 in xml file like that :

alt text

When i search the texte tag2 it's ok

mysearch | xpath "//tag1/tag2/@name" output=name | chart count by name

What is the syntax of request to extract the text of tag3 ?

None of those searches are OK

mysearch | xpath "//tag1/tag2/tag3" output=text | chart count by text

or 

mysearch | xpath "//tag1/tag2/tag3" outfield=text | chart count by text

Thanks for your help

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎12-08-2018 01:21 PM

Why not just use spath like this:

|makeresults | eval _raw="<tag1><tag2 name=\"TEXTE\"><tag3>TEXTE OF MESSAGE</tag3></tag2></tag1>"
| spath

This gives you these:

_raw                                                                   _time                 tag1.tag2.tag3     tag1.tag2{@name}
<tag1><tag2 name="TEXTE"><tag3>TEXTE OF MESSAGE</tag3></tag2></tag1>   2018-12-08 15:19:37   TEXTE OF MESSAGE   TEXTE
0 Karma
Reply

tom_frotscher
Builder
‎12-06-2018 07:51 AM

Hi,

when i try this with my run everywhere example, everything works as expected. Maybe your xml is not correctly? For example the tags are not closed correctly? Also, the option is called outfield, not output.

Here is the example, try your self:

| makeresults | eval _raw="<tag1><tag2 name=\"foo\"><tag3>Test 123</tag3></tag2></tag1>" | xpath "//tag1/tag2/tag3" outfield=value
0 Karma
Reply

prakash007
Builder
‎12-05-2018 05:56 PM

Did you try using xmlkv in your search 

 mysearch | xmlkv | chart count by name

you could also insert xmlkv as a search-time extraction on your search head props.conf 
[sourcetype]
KV_MODE = xml

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Xmlkv

0 Karma
Reply

493669
Super Champion
‎12-05-2018 09:15 PM

IF tag3 is fixed then you can try simple regex like-

|rex "<tag3>(?<TEXT>[^<]+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...