Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using xpath queries on events that contain text an...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using xpath queries on events that contain text and xml
Mikey_C
Engager
11-17-2010
11:18 PM
Hello, So xpath feature is great, but I have this issue. We deal with XML messaging from our customers and would like to extract some field data using xpath queries to run stats. I was able to create a field extraction that will pull out xml message, but I can't figure out how to tell Splunk to perform the xpath query on an extracted field.
Here's what a sample event looks like this:
20101117 161059.999 DEBUG[D] clpr ZZZ:[PROD ZZZ|FIXML3-ReaderThread-105] :CMBSource ZZZ|FIXML3, Underlying Source=[WeblogicJmsSource PROD_XXXX_JMSServer/PROD_XXX!ZZZ_FIXML_IN, TxMode=2] read MessageID 5540635964843910837 -->
DESTINATION_NAME=
SOURCE_NAME=FIXML3
CORRELATION_ID=5540644259047556424
JMSXDeliveryCount=1
Payload(String)=<?xml version="1.0" encoding="UTF-8"?><FIXML><AllocRptAck MsgEvtSrc="MQM" TxnTm="2010-11-17T16:10:59-06:00" InptDev="API" RptTyp="9" RptID="2" ID="123456" TransTyp="0" TrdDt="2010-11-17"><Hdr Snt="2010-11-17T16:10:59-06:00"/><Pty ID="CBT" R="22"></Pty></AllocAck></AllocRptAck></FIXML>
I created a field extraction that takes everything between the two FIXML tags and creates a field, but cannot figure out how to execute xpath queries on this in Splunk. It is a valid XML but how do I tell splunk to just use that field I've identified so that I can use xpath. Note: xmlkv won't work for this because of the nature of the messages as seen above.
Thanks! -Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ftk
Motivator
12-02-2010
08:13 PM
According to the documentation for the xpath command, you should be able to use it on your field as such:
your search | xpath field=your_field "//blah/node"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OL
Communicator
11-18-2010
07:47 AM
I tried to work with XML and xpath but so far without full success. I started to create my own function for it but it's very far to be finished. But this is probably because I'm haven't used the product for a long time. Have you tried to use rex? For instance, rex (?.*) or something similar to extract what you need. Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mikey_C
Engager
11-18-2010
05:01 PM
I know I could write a regular expression to get the field out of the XML, but it would be nice to use xpath queries so I could after different types of data.
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
