Dashboards & Visualizations

How do you search with the xpath command in an XML file?

Path Finder

I would like to extract the text of tag3 in xml file like that :

alt text

When i search the texte tag2 it's ok

mysearch | xpath "//tag1/tag2/@name" output=name | chart count by name

What is the syntax of request to extract the text of tag3 ?

None of those searches are OK

mysearch | xpath "//tag1/tag2/tag3" output=text | chart count by text

or

mysearch | xpath "//tag1/tag2/tag3" outfield=text | chart count by text

Thanks for your help

0 Karma

Esteemed Legend

Why not just use spath like this:

|makeresults | eval _raw="<tag1><tag2 name=\"TEXTE\"><tag3>TEXTE OF MESSAGE</tag3></tag2></tag1>"
| spath

This gives you these:

_raw                                                                   _time                 tag1.tag2.tag3     tag1.tag2{@name}
<tag1><tag2 name="TEXTE"><tag3>TEXTE OF MESSAGE</tag3></tag2></tag1>   2018-12-08 15:19:37   TEXTE OF MESSAGE   TEXTE
0 Karma

Hi,

when i try this with my run everywhere example, everything works as expected. Maybe your xml is not correctly? For example the tags are not closed correctly? Also, the option is called outfield, not output.

Here is the example, try your self:

| makeresults | eval _raw="<tag1><tag2 name=\"foo\"><tag3>Test 123</tag3></tag2></tag1>" | xpath "//tag1/tag2/tag3" outfield=value
0 Karma

Builder

Did you try using xmlkv in your search

 mysearch | xmlkv | chart count by name

you could also insert xmlkv as a search-time extraction on your search head props.conf 
[sourcetype]
KV_MODE = xml 

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Xmlkv

0 Karma

Super Champion

IF tag3 is fixed then you can try simple regex like-

|rex "<tag3>(?<TEXT>[^<]+)"
0 Karma