Hello,

(splunk entreprise 6.6.3)

In a dropdown menu, when i select an application, i need to parse and print a value from an xml field
Problem: This value don't have the same name and xml path.
Solution: Use a lookup table to store APP -> PATH.NAME:

a.csv
        device,pathname
        app1, dir1.dir2.dir3.dir4.param_value
        app2, dir.param_data
        app3, dir1.dir2.dir3.param_name

When i test my request with the xml path, it's working:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=dir1.dir2.dir3.param_name | table device, data

        device,     data
        app3        param_name

But impossible when i call the lookup table's field content $pathname$:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=$pathname$ | table device, data

            device,     data        
            app3            

To be sure that i grab the pathname from lookup table, i put it in a test variable and same result:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | eval test=$pathname$ | spath input=xmlfield output=param_name path=$pathname$ | table device, data, test

            device,     data        test
            app3                    dir1.dir2.dir3.param_name

In other post i see: "The spath command cannot accept a variable for the path - it treats unquoted paths as literals"
=> Then i put xml path in quotes... but same result.

If someone have an idea, solution or alternative it will be great.

Thanks in advance.