- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is the xpath search command not extracting the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I would like to use the xpath search command to extract my test results from daily XML files. I have created the following bare-bones proof-of-concept scenario in order to use the xpath command.
This is an example of my XML events. These are a single events/transactions:
<?xml version="1.0" encoding="UTF-8"?>
<TestRun id="7bfd7618-602a-4276-9f88-22c1d8bc630b" runUser="joe">
<Result outcome="passed" />
</TestRun>
The following are my inputs.conf and props.conf for data ingestion:
inputs.conf
[monitor://\\MyServer\Results\Splunk\*.xml]
disabled = false
sourcetype = xml_test
props.conf
[xml_test]
TRUNCATE = 1000000
KV_MODE = xml
LINE_BREAKER = (</TestRun>) ###Last element of the XML file
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
The following is the search that I am trying to get working:
sourcetype="xml_test" | xpath outfield=myresult /TestRun/Result/@outcome field=_raw default=broken | table myresult
I am expecting a table with a single entry of "passed".
However, thee table contains the entry "broken" due to the usage of the default parameter.
I am using the latest version of Splunk Light 6.2.5.
I have read the official xpath documentation for Splunk and my sample is just a simple.
Does anyone have any advice as to what I have missed or why the xpath search comment is not working as expected?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that the xpath search command in fundamentally broken out-of-the-box. It is very strange that no one has noticed this or how this passed Splunk's QA team. Following the advice from this Splunk Answer: http://answers.splunk.com/answers/213680/xpath-bug-default-value-always-returned.html I modified the xpath.py script to add and remove the following lines:
Removed:
# make event value valid xml
myxml = "<data>%s</data>" % myxml
Added:
result[outfield] = values
added = True
The command now works as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that the xpath search command in fundamentally broken out-of-the-box. It is very strange that no one has noticed this or how this passed Splunk's QA team. Following the advice from this Splunk Answer: http://answers.splunk.com/answers/213680/xpath-bug-default-value-always-returned.html I modified the xpath.py script to add and remove the following lines:
Removed:
# make event value valid xml
myxml = "<data>%s</data>" % myxml
Added:
result[outfield] = values
added = True
The command now works as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it's a problem with your LINEBREAKER. From the docs: The contents of the first capturing group are discarded, and will not be present in any event. Therefore, your event is not Valid XML.
Try this:
LINE_BREAKER = </TestRun>([\r\n]+)
Restart, and try your search again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is strange. According to the documentation what you have stated should make sense, but for each event, the entire XML fragment was included as posted in the question - including the end TestRun tag.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
