Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using xpath queries on events that contain text an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using xpath queries on events that contain text and xml
Mikey_C
Engager
11-17-2010
11:18 PM
Hello, So xpath feature is great, but I have this issue. We deal with XML messaging from our customers and would like to extract some field data using xpath queries to run stats. I was able to create a field extraction that will pull out xml message, but I can't figure out how to tell Splunk to perform the xpath query on an extracted field.
Here's what a sample event looks like this:
20101117 161059.999 DEBUG[D] clpr ZZZ:[PROD ZZZ|FIXML3-ReaderThread-105] :CMBSource ZZZ|FIXML3, Underlying Source=[WeblogicJmsSource PROD_XXXX_JMSServer/PROD_XXX!ZZZ_FIXML_IN, TxMode=2] read MessageID 5540635964843910837 -->
DESTINATION_NAME=
SOURCE_NAME=FIXML3
CORRELATION_ID=5540644259047556424
JMSXDeliveryCount=1
Payload(String)=<?xml version="1.0" encoding="UTF-8"?><FIXML><AllocRptAck MsgEvtSrc="MQM" TxnTm="2010-11-17T16:10:59-06:00" InptDev="API" RptTyp="9" RptID="2" ID="123456" TransTyp="0" TrdDt="2010-11-17"><Hdr Snt="2010-11-17T16:10:59-06:00"/><Pty ID="CBT" R="22"></Pty></AllocAck></AllocRptAck></FIXML>
I created a field extraction that takes everything between the two FIXML tags and creates a field, but cannot figure out how to execute xpath queries on this in Splunk. It is a valid XML but how do I tell splunk to just use that field I've identified so that I can use xpath. Note: xmlkv won't work for this because of the nature of the messages as seen above.
Thanks! -Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ftk
Motivator
12-02-2010
08:13 PM
According to the documentation for the xpath command, you should be able to use it on your field as such:
your search | xpath field=your_field "//blah/node"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OL
Communicator
11-18-2010
07:47 AM
I tried to work with XML and xpath but so far without full success. I started to create my own function for it but it's very far to be finished. But this is probably because I'm haven't used the product for a long time. Have you tried to use rex? For instance, rex (?.*) or something similar to extract what you need. Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mikey_C
Engager
11-18-2010
05:01 PM
I know I could write a regular expression to get the field out of the XML, but it would be nice to use xpath queries so I could after different types of data.
Get Updates on the Splunk Community!
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
Splunk Answers Content Calendar, June Edition II
Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
