Solved: How to get multiple values from xml using xpath an...

ritesh14 · ‎04-15-2022

I am trying to get multiple values from xml as shows below

I have tried xpath and spath and both shows nothing

I am looking for ResponseCode, SimpleResponseCode and nResponseCode

here is the sample xml for reference

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">
    <soapenv:Body>
        <ns3:LogResponse xmlns:ns2=\"http://randomurl.com/sample1\"
                            xmlns:ns3=\"http://randomurl.com/sample2\">
            <ResponseCode>OK</ResponseCode>
            <State>Simple</State>
            <Transactions>
                <TransactionName>CHANGED</TransactionName>
            </Transactions>
            <Transactions>
                <TransactionData>CHANGE_SIMPLE</TransactionData>
            </Transactions>
            <ServerTime>1649691711637</ServerTime>
            <SimpleResponseCode>OK</SimpleResponseCode>
            <nResponseCode>
                <nResponseCode>OK</nResponseCode>
            </nResponseCode>
            <USELESS>VALUES</USELESS>
            <MORE_USELESS>false</MORE_USELESS>
        </ns3:LogResponse>
    </soapenv:Body>
</soapenv:Envelope>" 
| xpath outfield=

ITWhisperer · ‎04-15-2022

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">
    <soapenv:Body>
        <ns3:LogResponse xmlns:ns2=\"http://randomurl.com/sample1\"
                            xmlns:ns3=\"http://randomurl.com/sample2\">
            <ResponseCode>OK</ResponseCode>
            <State>Simple</State>
            <Transactions>
                <TransactionName>CHANGED</TransactionName>
            </Transactions>
            <Transactions>
                <TransactionData>CHANGE_SIMPLE</TransactionData>
            </Transactions>
            <ServerTime>1649691711637</ServerTime>
            <SimpleResponseCode>OK</SimpleResponseCode>
            <nResponseCode>
                <nResponseCode>OK</nResponseCode>
            </nResponseCode>
            <USELESS>VALUES</USELESS>
            <MORE_USELESS>false</MORE_USELESS>
        </ns3:LogResponse>
    </soapenv:Body>
</soapenv:Envelope>"
| spath soapenv:Envelope.soapenv:Body.ns3:LogResponse.ResponseCode output=ResponseCode
| spath soapenv:Envelope.soapenv:Body.ns3:LogResponse.SimpleResponseCode output=SimpleResponseCode
| spath soapenv:Envelope.soapenv:Body.ns3:LogResponse.nResponseCode.nResponseCode output=nResponseCode

View solution in original post

yeahnah · ‎02-09-2025

Just wanted to put add a xpath command solution that also works, simply as a future reference for users that can go with the spath command solution.

| makeresults
| eval _raw="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">
    <soapenv:Body>
      <ns3:LogResponse xmlns:ns2=\"http://randomurl.com/sample1\"
                       xmlns:ns3=\"http://randomurl.com/sample2\">
        <LogResponse >
            <ResponseCode>OK</ResponseCode>
            <State>Simple</State>
            <Transactions>
                <TransactionName>CHANGED</TransactionName>
            </Transactions>
            <Transactions>
                <TransactionData>CHANGE_SIMPLE</TransactionData>
            </Transactions>
            <ServerTime>1649691711637</ServerTime>
            <SimpleResponseCode>OK</SimpleResponseCode>
            <nResponseCode>
                <nResponseCode>OK</nResponseCode>
            </nResponseCode>
            <USELESS>VALUES</USELESS>
            <MORE_USELESS>false</MORE_USELESS>
        </LogResponse>
      </ns3:LogResponse>
    </soapenv:Body>
</soapenv:Envelope>"
| eval xml=replace(_raw, "^<\?xml.+\?>[\r\n]*", "")   ``` xpath does not like ?xml encoding version and text declaration, so remove```  
| xpath field=xml outfield=ResponseCode "//*[local-name()='ResponseCode']"   ``` use *[local-name()='<value>' to ignore namespace declarations, i.e. xmlns='smomething' ]  ```
| xpath field=xml outfield=SimpleResponseCode "//*[local-name()='SimpleResponseCode']"
| xpath field=xml outfield=nResponseCode "//*[local-name()='nResponseCode']/nResponseCode"

ITWhisperer · ‎04-15-2022

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"utf-8\"?>
<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">
    <soapenv:Body>
        <ns3:LogResponse xmlns:ns2=\"http://randomurl.com/sample1\"
                            xmlns:ns3=\"http://randomurl.com/sample2\">
            <ResponseCode>OK</ResponseCode>
            <State>Simple</State>
            <Transactions>
                <TransactionName>CHANGED</TransactionName>
            </Transactions>
            <Transactions>
                <TransactionData>CHANGE_SIMPLE</TransactionData>
            </Transactions>
            <ServerTime>1649691711637</ServerTime>
            <SimpleResponseCode>OK</SimpleResponseCode>
            <nResponseCode>
                <nResponseCode>OK</nResponseCode>
            </nResponseCode>
            <USELESS>VALUES</USELESS>
            <MORE_USELESS>false</MORE_USELESS>
        </ns3:LogResponse>
    </soapenv:Body>
</soapenv:Envelope>"
| spath soapenv:Envelope.soapenv:Body.ns3:LogResponse.ResponseCode output=ResponseCode
| spath soapenv:Envelope.soapenv:Body.ns3:LogResponse.SimpleResponseCode output=SimpleResponseCode
| spath soapenv:Envelope.soapenv:Body.ns3:LogResponse.nResponseCode.nResponseCode output=nResponseCode

How to get multiple values from xml using xpath and spath?

field extraction

regex

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform