Hello, So xpath feature is great, but I have this issue. We deal with XML messaging from our customers and would like to extract some field data using xpath queries to run stats. I was able to create a field extraction that will pull out xml message, but I can't figure out how to tell Splunk to perform the xpath query on an extracted field.
Here's what a sample event looks like this:
20101117 161059.999 DEBUG[D] clpr ZZZ:[PROD ZZZ|FIXML3-ReaderThread-105] :CMBSource ZZZ|FIXML3, Underlying Source=[WeblogicJmsSource PROD_XXXX_JMSServer/PROD_XXX!ZZZ_FIXML_IN, TxMode=2] read MessageID 5540635964843910837 --> DESTINATION_NAME= SOURCE_NAME=FIXML3 CORRELATION_ID=5540644259047556424 JMSXDeliveryCount=1 Payload(String)=<?xml version="1.0" encoding="UTF-8"?><FIXML><AllocRptAck MsgEvtSrc="MQM" TxnTm="2010-11-17T16:10:59-06:00" InptDev="API" RptTyp="9" RptID="2" ID="123456" TransTyp="0" TrdDt="2010-11-17"><Hdr Snt="2010-11-17T16:10:59-06:00"/><Pty ID="CBT" R="22"></Pty></AllocAck></AllocRptAck></FIXML>
I created a field extraction that takes everything between the two FIXML tags and creates a field, but cannot figure out how to execute xpath queries on this in Splunk. It is a valid XML but how do I tell splunk to just use that field I've identified so that I can use xpath. Note: xmlkv won't work for this because of the nature of the messages as seen above.
I tried to work with XML and xpath but so far without full success. I started to create my own function for it but it's very far to be finished. But this is probably because I'm haven't used the product for a long time. Have you tried to use rex? For instance, rex (?.*) or something similar to extract what you need. Hope that helps.
I know I could write a regular expression to get the field out of the XML, but it would be nice to use xpath queries so I could after different types of data.