Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using spath or xpath
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using spath or xpath
Below is my xml from which i need the Name and code under every option
<options>
<name>MESSAGING + DATA UNL</name>
<code>MSGD</code>
<description>MESSAGING + DATA UNL</description>
<category>ALL</category>
<price>30.0</price>
</options>
<options>
<name>UMTS Compatible</name>
<code>UMTS</code>
<description>UMTS Compatible</description>
<category>ALL</category>
<price>0.0</price>
</options>
<options>
<name>Roadside Assistance</name>
<code>CRS</code>
<description>Roadside Assistance</description>
<category>ALL</category>
<price>2.99</price>
</options>
<options>
<name>EXPANDEDINTLROAM</name>
<code>IRXP</code>
<description>EXPANDEDINTLROAM</description>
<category>ALL</category>
<price>0.0</price>
</options>
i have tried both spath and xpath, at the most i am getting a single line value that is ExpandedINTLROAM when i use xmlkv, but i am looking for all the values under options/name in a list... please can someone help as to what is not being done right here
index=beast_app sourcetype="beast_us_cap_app_beast_parallel" "<cap:PostpaidAccountValidationResponse" 00080000806700015159 "2013.01.15 13:04:28:815"|xmlkv| xpath "//Body/accountInfo/subscriber/options/name" outfield=name| stats values(name)
sourcetype="beast_us_cap_app_beast_parallel" "<cap:PostpaidAccountValidationResponse" 00080000806700015159 "2013.01.15 13:04:28:815"|spath input=body output=name path=Body.accountInfo.subscriber.options.name|dedup name|table name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, @yaminims.
Can you be more specific about what your XML looks like when it is returned in Splunk events? Is it broken up into separate events, so that the events fall cleanly between "<options>" and "</options>" keys? If not, is your search returning one big XML event? Or is it something else all together?
Either way, when I drop your XML into my Splunk instance, I am able to extract both the "name" and "code" text from each XML tag using spath. The only difference in output is one table has four separate rows for each <options> and the other table has one row with four lines in it the row.
Here is my search that produces a table with a row for each text pair:
my_search_terms | spath options.code | spath options.name | table options.name options.code
And here are my results:
options.name options.code
1 EXPANDEDINTLROAM IRXP
2 Roadside Assistance CRS
3 UMTS Compatible UMTS
4 MESSAGING + DATA UNL MSGD
You can easily rename the fields "option.name" and "options.code" to whatever you would like using rename.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
helped me to understand spath
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
