Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SPath and Aggregations

yinon_nadav
New Member
‎10-09-2012 07:49 AM

Hi,

I currently have a fairly complicated event format (see below 2 examples):

10/09/2012 09:49:55 126.115.88.95,< evn di="x12_S02" eid="21" ver1="3.5.3.21" pla="k" stc="Pil" uid="e508ssi"> < att key="14"> < it>77< /it>< /att>< att key="21">< it>2< /it>< /att>< att key="22">< it>x_77323F_ev_7EC457< /it>< /att>< /evn>

10/09/2012 09:49:55 126.115.88.95,< evn di="x12_S02" eid="21" ver1="3.5.3.21" pla="k" stc="Pil" uid="e508ssi">< att key="14">< it>50< /it>< /att>< att key="21">< it>2< /it>< /att>< att key="22">< it>x_77323F_ev_7EC457< /it>< /att>< /evn>

I need to extract the sum of the value for attribute key 14. for the above this is 77+50. so the result should be 127..
But i can't seem to get it right, not even the initial field value extraction:

spath evn.att{"14"}{@key}

any help is appreciated.

thanks,
Yinon

Tags (1)
0 Karma
Reply

eashwar
Communicator
‎03-29-2013 03:25 AM

Hello brother,

first you should extract the xml from the event add this line to the props.conf

EXTRACT-xml=(?i)(?P<xml>\<\sevn.+)

now you should use spath and specify the input field as xml

<your search>| spath input=xml

you can find your results in the field name {@evn}.{@att}.{@it}. you can also add path={@evn}.{@att}.{@it} to spath command

the search command you are looking for

use the below search if you did not add the EXTRACT to the props.conf 

index="     " sourcetype="      "  | rex field=_raw "(?i)(?P<xml>\<\sevn.+)"  | spath input=xml | stats sum({@evn}.{@att}.{@it})

use the below search if you have added the EXTRACT to the props.conf 

 index="     " sourcetype="      "    | spath input=xml | stats sum({@evn}.{@att}.{@it})

happy splunking,
yours,
eashwar raghunathan

consider voting if it helped you, thanks...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...