(splunk entreprise 6.6.3)
In a dropdown menu, when i select an application, i need to parse and print a value from an xml field
Problem: This value don't have the same name and xml path.
Solution: Use a lookup table to store APP -> PATH.NAME:
When i test my request with the xml path, it's working:
device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=dir1.dir2.dir3.param_name | table device, data
But impossible when i call the lookup table's field content $pathname$:
device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | spath input=xmlfield output=param_name path=$pathname$ | table device, data
To be sure that i grab the pathname from lookup table, i put it in a test variable and same result:
device=app3 | JOIN type=inner device [ | inputlookup a.csv ] | eval test=$pathname$ | spath input=xmlfield output=param_name path=$pathname$ | table device, data, test
device, data test
In other post i see: "The spath command cannot accept a variable for the path - it treats unquoted paths as literals"
=> Then i put xml path in quotes... but same result.
If someone have an idea, solution or alternative it will be great.
Thanks in advance.
In your scenario you should use return command. You can try rewriting your query as follows:
device=app3 | spath input=xmlfield output=param_name [|inputlookup a.csv where device=app3 | eval path="path=\""+ pathname + "\"" | return $path ] | table device, data, test
View solution in original post
Thanks to hardikJsheth , it's working.
The clue was to "return" the variable in the subsearch.