Dashboards & Visualizations

How to use spath for multiple tags in xml?

Path Finder

Hi All,

I have this XML:

<h:requester>
    <h:requesterType>Profile Owner</h:requesterType>
    <h:requesterId>92904582</h:requesterId>
</h:requester>
<h:requester>
    <h:requesterType>Customer</h:requesterType>
    <h:requesterId>92904582</h:requesterId>
</h:requester>

I'm able to extract the values for RequesterType and RequesterId using spath, but I'm getting both the values i.e Customer & Profile Owner.

My requirement is to extract RequesterId for RequesterType="Customer". I don't know how we can achieve that using spath. Can somebody help in that.

0 Karma
1 Solution

Motivator

Try this please which should get you required items:

your base query to return xml events
| spath output=requester path=h:requester
| mvexpand requester 
| table requester 
| spath input=requester output=type path=h:requesterType 
| spath input=requester output=id path=h:requesterId
| table  type, id 
| search type="Customer"

View solution in original post

Motivator

Try this please which should get you required items:

your base query to return xml events
| spath output=requester path=h:requester
| mvexpand requester 
| table requester 
| spath input=requester output=type path=h:requesterType 
| spath input=requester output=id path=h:requesterId
| table  type, id 
| search type="Customer"

View solution in original post

Path Finder

Thanks for answer.

0 Karma

Motivator

You are welcome. I am happy that it worked for you. Happy Splunking!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!