Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SPath and Aggregations

yinon_nadav
New Member
‎10-09-2012 07:49 AM

Hi,

I currently have a fairly complicated event format (see below 2 examples):

10/09/2012 09:49:55 126.115.88.95,< evn di="x12_S02" eid="21" ver1="3.5.3.21" pla="k" stc="Pil" uid="e508ssi"> < att key="14"> < it>77< /it>< /att>< att key="21">< it>2< /it>< /att>< att key="22">< it>x_77323F_ev_7EC457< /it>< /att>< /evn>

10/09/2012 09:49:55 126.115.88.95,< evn di="x12_S02" eid="21" ver1="3.5.3.21" pla="k" stc="Pil" uid="e508ssi">< att key="14">< it>50< /it>< /att>< att key="21">< it>2< /it>< /att>< att key="22">< it>x_77323F_ev_7EC457< /it>< /att>< /evn>

I need to extract the sum of the value for attribute key 14. for the above this is 77+50. so the result should be 127..
But i can't seem to get it right, not even the initial field value extraction:

spath evn.att{"14"}{@key}

any help is appreciated.

thanks,
Yinon

Tags (1)
0 Karma
Reply

eashwar
Communicator
‎03-29-2013 03:25 AM

Hello brother,

first you should extract the xml from the event add this line to the props.conf

EXTRACT-xml=(?i)(?P<xml>\<\sevn.+)

now you should use spath and specify the input field as xml

<your search>| spath input=xml

you can find your results in the field name {@evn}.{@att}.{@it}. you can also add path={@evn}.{@att}.{@it} to spath command

the search command you are looking for

use the below search if you did not add the EXTRACT to the props.conf 

index="     " sourcetype="      "  | rex field=_raw "(?i)(?P<xml>\<\sevn.+)"  | spath input=xml | stats sum({@evn}.{@att}.{@it})

use the below search if you have added the EXTRACT to the props.conf 

 index="     " sourcetype="      "    | spath input=xml | stats sum({@evn}.{@att}.{@it})

happy splunking,
yours,
eashwar raghunathan

consider voting if it helped you, thanks...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...