Dashboards & Visualizations

spath and lookup table to switch the path argument

secuc2r83
Path Finder

Hello,

(splunk entreprise 6.6.3)

In a dropdown menu, when i select an application, i need to parse and print a value from an xml field
Problem: This value don't have the same name and xml path.
Solution: Use a lookup table to store APP -> PATH.NAME:

a.csv
        device,pathname
        app1, dir1.dir2.dir3.dir4.param_value
        app2, dir.param_data
        app3, dir1.dir2.dir3.param_name

When i test my request with the xml path, it's working:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=dir1.dir2.dir3.param_name | table device, data

        device,     data
        app3        param_name

But impossible when i call the lookup table's field content $pathname$:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=$pathname$ | table device, data

            device,     data        
            app3            

To be sure that i grab the pathname from lookup table, i put it in a test variable and same result:

device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | eval test=$pathname$ | spath input=xmlfield output=param_name path=$pathname$ | table device, data, test

            device,     data        test
            app3                    dir1.dir2.dir3.param_name

In other post i see: "The spath command cannot accept a variable for the path - it treats unquoted paths as literals"
=> Then i put xml path in quotes... but same result.

If someone have an idea, solution or alternative it will be great.

Thanks in advance.

Tags (1)
0 Karma
1 Solution

hardikJsheth
Motivator

In your scenario you should use return command. You can try rewriting your query as follows:

device=app3 | spath input=xmlfield output=param_name [|inputlookup a.csv where device=app3 | eval path="path=\""+ pathname + "\"" | return $path ] | table device, data, test

View solution in original post

0 Karma

hardikJsheth
Motivator

In your scenario you should use return command. You can try rewriting your query as follows:

device=app3 | spath input=xmlfield output=param_name [|inputlookup a.csv where device=app3 | eval path="path=\""+ pathname + "\"" | return $path ] | table device, data, test

View solution in original post

0 Karma

secuc2r83
Path Finder

Thanks to hardikJsheth , it's working.
The clue was to "return" the variable in the subsearch.
kind Regards

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.