Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

spath and lookup table to switch the path argument

secuc2r83
Path Finder
‎11-20-2017 03:05 PM

Hello,

(splunk entreprise 6.6.3)

In a dropdown menu, when i select an application, i need to parse and print a value from an xml field
Problem: This value don't have the same name and xml path.
Solution: Use a lookup table to store APP -> PATH.NAME:

a.csv
        device,pathname
        app1, dir1.dir2.dir3.dir4.param_value
        app2, dir.param_data
        app3, dir1.dir2.dir3.param_name

When i test my request with the xml path, it's working: 

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=dir1.dir2.dir3.param_name | table device, data

        device,     data
        app3        param_name

But impossible when i call the lookup table's field content $pathname$:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=$pathname$ | table device, data

            device,     data        
            app3

To be sure that i grab the pathname from lookup table, i put it in a test variable and same result: 

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | eval test=$pathname$ | spath input=xmlfield output=param_name path=$pathname$ | table device, data, test

            device,     data        test
            app3                    dir1.dir2.dir3.param_name

In other post i see: "The spath command cannot accept a variable for the path - it treats unquoted paths as literals"
=> Then i put xml path in quotes... but same result.

If someone have an idea, solution or alternative it will be great.

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎11-20-2017 10:46 PM

In your scenario you should use return command. You can try rewriting your query as follows:

device=app3 | spath input=xmlfield output=param_name [|inputlookup a.csv where device=app3 | eval path="path=\""+ pathname + "\"" | return $path ] | table device, data, test

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hardikJsheth
Motivator
‎11-20-2017 10:46 PM

In your scenario you should use return command. You can try rewriting your query as follows:

device=app3 | spath input=xmlfield output=param_name [|inputlookup a.csv where device=app3 | eval path="path=\""+ pathname + "\"" | return $path ] | table device, data, test
0 Karma
Reply
Solved! Jump to solution

secuc2r83
Path Finder
‎11-20-2017 11:35 PM

Thanks to hardikJsheth , it's working.
The clue was to "return" the variable in the subsearch.
kind Regards

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...