Re: Can splunk Do this? XPATH - XML Node with more...

lpolo · ‎01-09-2012

Is this possible in Splunk?

I have a log event with XML format. One of the XML nodes has more than one attribute. Example:

My xpath expression to get all the attributes will be:

| xpath "//Boolean_Filters/@*"

but I am unable to get the value of all the attributes. How can I do it with Splunk?

I can get the value one by one example:

| xpath "//Boolean_Filters/@linear" outfield=linear.

Thanks.

lpolo · ‎01-19-2012

Splunk can do it without any problem.
In my case, Splunk was failing because my events were mal-form XML instances. As a result, I could not aggregate the result set with the stats function after the result set. Like for example:

| xpath "//Boolean_Filters/@* outfield="values"|stats count by values

so I used this work-around:

| xpath "//Boolean_Filters/@* outfield="values"|table linear non_linear offset

Or this one:

| xpath "//Boolean_Filters/@* outfield="values"|
stats sum(eval(if(linear="true",1,0))) as Linear_Count
sum(eval(if(non_linear="true",1,0))) as non_linear_Count
sum(eval(if(offset="true",1,0))) as offset_Count

Cheers,
Lp
Thanks,
Lp

Thanks,
Lp

Can splunk Do this? XPATH - XML Node with more than one Attribute

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Can splunk Do this? XPATH - XML Node with more than one Attribute

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!