Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SPath and Aggregations

yinon_nadav
New Member
‎10-09-2012 07:49 AM

Hi,

I currently have a fairly complicated event format (see below 2 examples):

10/09/2012 09:49:55 126.115.88.95,< evn di="x12_S02" eid="21" ver1="3.5.3.21" pla="k" stc="Pil" uid="e508ssi"> < att key="14"> < it>77< /it>< /att>< att key="21">< it>2< /it>< /att>< att key="22">< it>x_77323F_ev_7EC457< /it>< /att>< /evn>

10/09/2012 09:49:55 126.115.88.95,< evn di="x12_S02" eid="21" ver1="3.5.3.21" pla="k" stc="Pil" uid="e508ssi">< att key="14">< it>50< /it>< /att>< att key="21">< it>2< /it>< /att>< att key="22">< it>x_77323F_ev_7EC457< /it>< /att>< /evn>

I need to extract the sum of the value for attribute key 14. for the above this is 77+50. so the result should be 127..
But i can't seem to get it right, not even the initial field value extraction:

spath evn.att{"14"}{@key}

any help is appreciated.

thanks,
Yinon

Tags (1)
0 Karma
Reply

eashwar
Communicator
‎03-29-2013 03:25 AM

Hello brother,

first you should extract the xml from the event add this line to the props.conf

EXTRACT-xml=(?i)(?P<xml>\<\sevn.+)

now you should use spath and specify the input field as xml

<your search>| spath input=xml

you can find your results in the field name {@evn}.{@att}.{@it}. you can also add path={@evn}.{@att}.{@it} to spath command

the search command you are looking for

use the below search if you did not add the EXTRACT to the props.conf 

index="     " sourcetype="      "  | rex field=_raw "(?i)(?P<xml>\<\sevn.+)"  | spath input=xml | stats sum({@evn}.{@att}.{@it})

use the below search if you have added the EXTRACT to the props.conf 

 index="     " sourcetype="      "    | spath input=xml | stats sum({@evn}.{@att}.{@it})

happy splunking,
yours,
eashwar raghunathan

consider voting if it helped you, thanks...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...