Getting Data In

Search, XPATH and XPATH namespaces

DWRoelands
New Member

I have an index populated with data from a Log4Net trace log.  Each Splunk event in the index is a block of XML with an XML namespace:

 

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
	<System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
		<EventID>0</EventID>
		<Type>3</Type>
		<SubType Name="Information">0</SubType>
		<Level>8</Level>
		<TimeCreated SystemTime="04/22/2023 12:30:45.0456293Z"/>
		<Source Name="Bar"/>
		<Correlation ActivityID="{459d276d-8255-47be-be1d-9acd903fd3f0}"/>
		<Execution ProcessName="NA" ProcessID="1124" ThreadID="9"/>
		<Channel/>
		<Computer>NA</Computer>
	</System>
	<ApplicationData>
		<TraceData>
			<DataItem>
				<TraceRecord Severity="Information">
					<TraceIdentifier/>
					<Description><![CDATA[Start Operation: foo]]></Description>
					<Activity><![CDATA[Start Operation: foo]]></Activity>
					<Duration>0</Duration>
				</TraceRecord>
			</DataItem>
		</TraceData>
	</ApplicationData>
</E2ETraceEvent>

 

 

I am trying to search these events, and I want the contents of the "Description" XML element.  Does Splunk's implementation of XPATH support namespaces?   This search is returning no records:

 

index="lmstracelogs" xpath "//E2ETraceEvent/ApplicationData/TraceData/DataItem/TraceRecord/Description"

 

 

Almost every example I've found for working with XML suggests regular expressions, which seems inelegant.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can't match any events this way since you're trying to find "xpath" as a literal term included in your event.

0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @DWRoelands,

This may not be the most elegant, but to avoid regex you can use:

| xpath outfield=description "/*[name()='E2ETraceEvent' and  namespace-uri()='http://schemas.microsoft.com/2004/06/E2ETraceEvent' ]/*[name()='ApplicationData']/*[name()='TraceData']/*[name()='DataItem']/*[name()='TraceRecord']/*[name()='Description']"

That creates a description field with the correct text:

danspav_1-1688190757690.png

It does obey the namespace, but it's not the easiest to read.

Falling back to regex, if you run a sedcmd you can strip the namespaces and use your original xpath:

| rex mode=sed "s/xmlns=\"[^\"]+\"//g"
| xpath outfield=description "//E2ETraceEvent/ApplicationData/TraceData/DataItem/TraceRecord/Description"


Cheers,
Daniel

 

 

 

0 Karma

danspav
SplunkTrust
SplunkTrust

Alternatively, just run:

| spath path="E2ETraceEvent.ApplicationData.TraceData.DataItem.TraceRecord.Description" output=description
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...