Splunk Search

Using spath or xpath

yaminims
New Member

Below is my xml from which i need the Name and code under every option

    <options>
           <name>MESSAGING + DATA UNL</name>
           <code>MSGD</code>
           <description>MESSAGING + DATA UNL</description>
           <category>ALL</category>
           <price>30.0</price>
        </options>
        <options>
           <name>UMTS Compatible</name>
           <code>UMTS</code>
           <description>UMTS Compatible</description>
           <category>ALL</category>
           <price>0.0</price>
        </options>
        <options>
           <name>Roadside Assistance</name>
           <code>CRS</code>
           <description>Roadside Assistance</description>
           <category>ALL</category>
           <price>2.99</price>
        </options>
        <options>
           <name>EXPANDEDINTLROAM</name>
           <code>IRXP</code>
           <description>EXPANDEDINTLROAM</description>
           <category>ALL</category>
           <price>0.0</price>
        </options>

i have tried both spath and xpath, at the most i am getting a single line value that is ExpandedINTLROAM when i use xmlkv, but i am looking for all the values under options/name in a list... please can someone help as to what is not being done right here

index=beast_app sourcetype="beast_us_cap_app_beast_parallel" "<cap:PostpaidAccountValidationResponse" 00080000806700015159 "2013.01.15 13:04:28:815"|xmlkv| xpath "//Body/accountInfo/subscriber/options/name" outfield=name| stats values(name)

sourcetype="beast_us_cap_app_beast_parallel" "<cap:PostpaidAccountValidationResponse" 00080000806700015159 "2013.01.15 13:04:28:815"|spath input=body output=name path=Body.accountInfo.subscriber.options.name|dedup name|table name

Tags (1)
0 Karma

sspencer_splunk
Splunk Employee
Splunk Employee

Hi, @yaminims.

Can you be more specific about what your XML looks like when it is returned in Splunk events? Is it broken up into separate events, so that the events fall cleanly between "<options>" and "</options>" keys? If not, is your search returning one big XML event? Or is it something else all together?

Either way, when I drop your XML into my Splunk instance, I am able to extract both the "name" and "code" text from each XML tag using spath. The only difference in output is one table has four separate rows for each <options> and the other table has one row with four lines in it the row.


Here is my search that produces a table with a row for each text pair:

my_search_terms | spath options.code | spath options.name | table options.name options.code

And here are my results:

    options.name              options.code
1   EXPANDEDINTLROAM          IRXP
2   Roadside Assistance       CRS
3   UMTS Compatible           UMTS
4   MESSAGING + DATA UNL      MSGD

You can easily rename the fields "option.name" and "options.code" to whatever you would like using rename.

0 Karma

riqbal
Communicator

helped me to understand spath

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...