I am using Splunk to extract a number of fields from xml data this is contained in a log file.
The file is very large. This is part of it.
xmlns:ns2="http://ground.fedex.com/schemas/linehaul/TMSCommon"> PURCHASEDLINEHAUL APPROVE 116029927 104257037 104257037 1 2020-02-20T21:53:39.000Z .... more lines here that are not important 1587040 FXTR DRAY RULE PZ1 923 RLTO 330 RESOURCE DRIVE LH PHONE 877-851-3543 true
This query selects the xml part text in the logging file and some of the fields are extracted and I can add to a table. (not including the source and sourcetype..)
| xmlkv | table purchCostReference, eventType, carrier, billingMethod
But need more fields that are child elements within the xml data. One of them is the numberCode. I am trying to use xpath to extract these additional fields.
| xmlkv | xpath "//tmsTrip/purchasedCost/purchasedCostTripSegment/origin/ns2:numberCode"
outfield=Origin | table
purchCostReference, eventType,
carrier, billingMethod, Origin
But no Origin data is returned when I add the field to the table. There is no error. The Origin column is empty.
What am I doing wrong with the xpath command that it is not showing any data?
...
| xmlkv | spath path="tmsTrip.purchasedCost.purchasedCostTripSegment.origin.ns2:numberCode" output=Origin
| table purchCostReference, eventType,carrier, billingMethod, Origin