Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to rename XML field name into shorter name ?

sieutruc
Contributor
‎11-20-2012 05:08 AM

Hello,

I get difficult when manipulating XML field name, if i use like:

sourcetype="test_xml_as" | table content_table.table2{@BUSINESS_ENTITY_1}

It gave me desired result,

but if i use rename function as:

sourcetype="test_xml_as" | rename content_table.table2 as test | table test{@BUSINESS_ENTITY_1}

This search hasn't any result. The reason that i want to use rename is to reduce some internal XML field name that are very long.

So anyone can tell which function i should use to reduce XML field name ?

Tags (1)
0 Karma
Reply

sbsbb
Builder
‎04-16-2013 10:57 AM

For that you have to use spath...
You can spath a specific element, and then with a pipe make a second spath...

Spath input=input_field output=output_field path="path.to.my.container" | spath input=ouputfield path=path.into.my.container

Or simply the second spath without parameter will return all values in fields...

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 05:45 AM

You can use xpath to take a really long path and simplify it to a single field.

Try This:

sourcetype="text_xml_as"|xpath outfield=test "content_table.table2{@BUSINESS_ENTITY_1}"|table test

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Xpath

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:46 AM

i tested it, it doesn't work , 😞

sourcetype=text_xml_as|xpath outfield=test "//content_table/table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 07:22 AM

I believe it can be done in same way, but haven't tested it. sourcetype=text_xml_as|xpath outfield=test "content_table.table2"|table test{@BUSINESS_ENTITY_1}

0 Karma
Reply

sieutruc
Contributor
‎11-20-2012 07:21 AM

What i mean is to reduce content_table.table2 to only one field and use it to reference to its children field or its properties.

For example:

test:=content_table.table2

test{@BUSINESS_ENTITY_1} gives a result

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...