Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to rename XML field name into shorter name ?

sieutruc
Contributor
‎11-20-2012 05:08 AM

Hello,

I get difficult when manipulating XML field name, if i use like:

sourcetype="test_xml_as" | table content_table.table2{@BUSINESS_ENTITY_1}

It gave me desired result,

but if i use rename function as:

sourcetype="test_xml_as" | rename content_table.table2 as test | table test{@BUSINESS_ENTITY_1}

This search hasn't any result. The reason that i want to use rename is to reduce some internal XML field name that are very long.

So anyone can tell which function i should use to reduce XML field name ?

Tags (1)
0 Karma
Reply

sbsbb
Builder
‎04-16-2013 10:57 AM

For that you have to use spath...
You can spath a specific element, and then with a pipe make a second spath...

Spath input=input_field output=output_field path="path.to.my.container" | spath input=ouputfield path=path.into.my.container

Or simply the second spath without parameter will return all values in fields...

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 05:45 AM

You can use xpath to take a really long path and simplify it to a single field.

Try This:

sourcetype="text_xml_as"|xpath outfield=test "content_table.table2{@BUSINESS_ENTITY_1}"|table test

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Xpath

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:46 AM

i tested it, it doesn't work , 😞

sourcetype=text_xml_as|xpath outfield=test "//content_table/table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 07:22 AM

I believe it can be done in same way, but haven't tested it. sourcetype=text_xml_as|xpath outfield=test "content_table.table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:21 AM

What i mean is to reduce content_table.table2 to only one field and use it to reference to its children field or its properties.

For example:

test:=content_table.table2

test{@BUSINESS_ENTITY_1} gives a result

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top