Solved: Re: How to use spath for multiple tags in xml?

ID_SplunkUser · ‎01-10-2017

Hi All,

I have this XML:

<h:requester>
    <h:requesterType>Profile Owner</h:requesterType>
    <h:requesterId>92904582</h:requesterId>
</h:requester>
<h:requester>
    <h:requesterType>Customer</h:requesterType>
    <h:requesterId>92904582</h:requesterId>
</h:requester>

I'm able to extract the values for RequesterType and RequesterId using spath, but I'm getting both the values i.e Customer & Profile Owner.

My requirement is to extract RequesterId for RequesterType="Customer". I don't know how we can achieve that using spath. Can somebody help in that.

gokadroid · ‎01-10-2017

Try this please which should get you required items:

your base query to return xml events
| spath output=requester path=h:requester
| mvexpand requester 
| table requester 
| spath input=requester output=type path=h:requesterType 
| spath input=requester output=id path=h:requesterId
| table  type, id 
| search type="Customer"

View solution in original post

gokadroid · ‎01-10-2017

Try this please which should get you required items:

your base query to return xml events
| spath output=requester path=h:requester
| mvexpand requester 
| table requester 
| spath input=requester output=type path=h:requesterType 
| spath input=requester output=id path=h:requesterId
| table  type, id 
| search type="Customer"

ID_SplunkUser · ‎01-11-2017

Thanks for answer.

gokadroid · ‎01-11-2017

You are welcome. I am happy that it worked for you. Happy Splunking!

How to use spath for multiple tags in xml?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!