Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to rename XML field name into shorter name ?

sieutruc
Contributor
‎11-20-2012 05:08 AM

Hello,

I get difficult when manipulating XML field name, if i use like:

sourcetype="test_xml_as" | table content_table.table2{@BUSINESS_ENTITY_1}

It gave me desired result,

but if i use rename function as:

sourcetype="test_xml_as" | rename content_table.table2 as test | table test{@BUSINESS_ENTITY_1}

This search hasn't any result. The reason that i want to use rename is to reduce some internal XML field name that are very long.

So anyone can tell which function i should use to reduce XML field name ?

Tags (1)
0 Karma
Reply

sbsbb
Builder
‎04-16-2013 10:57 AM

For that you have to use spath...
You can spath a specific element, and then with a pipe make a second spath...

Spath input=input_field output=output_field path="path.to.my.container" | spath input=ouputfield path=path.into.my.container

Or simply the second spath without parameter will return all values in fields...

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 05:45 AM

You can use xpath to take a really long path and simplify it to a single field.

Try This:

sourcetype="text_xml_as"|xpath outfield=test "content_table.table2{@BUSINESS_ENTITY_1}"|table test

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Xpath

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:46 AM

i tested it, it doesn't work , 😞

sourcetype=text_xml_as|xpath outfield=test "//content_table/table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 07:22 AM

I believe it can be done in same way, but haven't tested it. sourcetype=text_xml_as|xpath outfield=test "content_table.table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:21 AM

What i mean is to reduce content_table.table2 to only one field and use it to reference to its children field or its properties.

For example:

test:=content_table.table2

test{@BUSINESS_ENTITY_1} gives a result

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...