Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

spath command

VijaySrrie
Builder
‎09-07-2020 10:35 PM

Hi,

What is spath command, when to use it? Please expalin below command.

| spath input=json
 
Is there any alternative command for spath? 
When we use spath command will it consume more time ?
 
Labels (1)
Labels
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-07-2020 10:46 PM

Most common use for spath is with json. It helps to get elements and tables inside json. 
Same kind of command is xmlkv which is used to manipulate xml events. 
r. Ismo

Reply

VijaySrrie
Builder
‎09-07-2020 10:53 PM

I am creating a dashboard, 

spath is not the best practice to use in dashboard itseems, can you modify the below query with some other command?

index=indexname application=appname  sourcetype=sourcetypename  asset_env=prod  component=abc "message=Received event:"
| table json
| spath input=json output=body path=Records{}.body

|spath input=body output=requestId path=request.requestId

|stats dc(requestId)

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-07-2020 11:14 PM

Depending on what your data actually looks like, extracting a single value might be just as easily achieved with rex

Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-07-2020 11:00 PM
Can you post your event as sample data, without it, it’s hard to help you.
And also short verbal description what you want to achieve.
0 Karma
Reply

VijaySrrie
Builder
‎10-19-2020 06:04 PM

Instead of spath command, we were asked to create Field extractions as a best practice.

Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2020 06:36 PM

Sure @VijaySrrie then, let us know the sample logs, which fields you want to extract, etc... please. 

 

to answer your first question about spath basics:

The spath command enables you to extract information from the structured data formats XML and JSON.

Alternatives to the spath command

If you are using autokv or index-time field extractions, the path extractions are performed for you at index time.

You do not need to explicitly use the spath command to provide a path.

If using indexed_extractions=JSON or using KV_MODE=JSON in the props.conf file, then the spath command is not necessary to explicitly use.

 

Specify the output field and a path for an XML attribute

Use the @ symbol to specify an XML attribute. Consider the following XML list of books and authors.

<?xml version="1.0">
<purchases>
   <book>
         <author>Martin, George R.R.</author>
         <title yearPublished=1996>A Game of Thrones</title>
         <title yearPublished=1998>A Clash of Kings</title>
  </book>
   <book>
         <author>Clarke, Susanna</author>
         <title yearPublished=2004>Jonathan Strange and Mr. Norrell</title>
   </book>
   <book>
         <author>Kay, Guy Gavriel</author>
         <title yearPublished=1990>Tigana</title>
   </book>
   <book>
         <author>Bujold, Lois McMasters</author>
         <title yearPublished=1986>The Warrior's Apprentice</title>
   </book>
</purchases>

Use this search to return the path for the book and the year it was published.

... | spath output=dates path=purchases.book.title{@yearPublished} | table dates

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...