Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to rename XML field name into shorter name ?

sieutruc
Contributor
‎11-20-2012 05:08 AM

Hello,

I get difficult when manipulating XML field name, if i use like:

sourcetype="test_xml_as" | table content_table.table2{@BUSINESS_ENTITY_1}

It gave me desired result,

but if i use rename function as:

sourcetype="test_xml_as" | rename content_table.table2 as test | table test{@BUSINESS_ENTITY_1}

This search hasn't any result. The reason that i want to use rename is to reduce some internal XML field name that are very long.

So anyone can tell which function i should use to reduce XML field name ?

Tags (1)
0 Karma
Reply

sbsbb
Builder
‎04-16-2013 10:57 AM

For that you have to use spath...
You can spath a specific element, and then with a pipe make a second spath...

Spath input=input_field output=output_field path="path.to.my.container" | spath input=ouputfield path=path.into.my.container

Or simply the second spath without parameter will return all values in fields...

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 05:45 AM

You can use xpath to take a really long path and simplify it to a single field.

Try This:

sourcetype="text_xml_as"|xpath outfield=test "content_table.table2{@BUSINESS_ENTITY_1}"|table test

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Xpath

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:46 AM

i tested it, it doesn't work , 😞

sourcetype=text_xml_as|xpath outfield=test "//content_table/table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 07:22 AM

I believe it can be done in same way, but haven't tested it. sourcetype=text_xml_as|xpath outfield=test "content_table.table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:21 AM

What i mean is to reduce content_table.table2 to only one field and use it to reference to its children field or its properties.

For example:

test:=content_table.table2

test{@BUSINESS_ENTITY_1} gives a result

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...