Re: Using spath or xpath

yaminims · ‎01-15-2013

Below is my xml from which i need the Name and code under every option

    <options>
           <name>MESSAGING + DATA UNL</name>
           <code>MSGD</code>
           <description>MESSAGING + DATA UNL</description>
           <category>ALL</category>
           <price>30.0</price>
        </options>
        <options>
           <name>UMTS Compatible</name>
           <code>UMTS</code>
           <description>UMTS Compatible</description>
           <category>ALL</category>
           <price>0.0</price>
        </options>
        <options>
           <name>Roadside Assistance</name>
           <code>CRS</code>
           <description>Roadside Assistance</description>
           <category>ALL</category>
           <price>2.99</price>
        </options>
        <options>
           <name>EXPANDEDINTLROAM</name>
           <code>IRXP</code>
           <description>EXPANDEDINTLROAM</description>
           <category>ALL</category>
           <price>0.0</price>
        </options>

i have tried both spath and xpath, at the most i am getting a single line value that is ExpandedINTLROAM when i use xmlkv, but i am looking for all the values under options/name in a list... please can someone help as to what is not being done right here

index=beast_app sourcetype="beast_us_cap_app_beast_parallel" "<cap:PostpaidAccountValidationResponse" 00080000806700015159 "2013.01.15 13:04:28:815"|xmlkv| xpath "//Body/accountInfo/subscriber/options/name" outfield=name| stats values(name)

sourcetype="beast_us_cap_app_beast_parallel" "<cap:PostpaidAccountValidationResponse" 00080000806700015159 "2013.01.15 13:04:28:815"|spath input=body output=name path=Body.accountInfo.subscriber.options.name|dedup name|table name

sspencer_splunk · ‎01-16-2013

Hi, @yaminims.

Can you be more specific about what your XML looks like when it is returned in Splunk events? Is it broken up into separate events, so that the events fall cleanly between "<options>" and "</options>" keys? If not, is your search returning one big XML event? Or is it something else all together?

Either way, when I drop your XML into my Splunk instance, I am able to extract both the "name" and "code" text from each XML tag using spath. The only difference in output is one table has four separate rows for each <options> and the other table has one row with four lines in it the row.

Here is my search that produces a table with a row for each text pair:

my_search_terms | spath options.code | spath options.name | table options.name options.code

And here are my results:

    options.name              options.code
1   EXPANDEDINTLROAM          IRXP
2   Roadside Assistance       CRS
3   UMTS Compatible           UMTS
4   MESSAGING + DATA UNL      MSGD

You can easily rename the fields "option.name" and "options.code" to whatever you would like using rename.

riqbal · ‎08-28-2018

helped me to understand spath

Using spath or xpath

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation