I would like to use the xpath search command to extract my test results from daily XML files. I have created the following bare-bones proof-of-concept scenario in order to use the xpath command.
This is an example of my XML events. These are a single events/transactions:
<?xml version="1.0" encoding="UTF-8"?> <TestRun id="7bfd7618-602a-4276-9f88-22c1d8bc630b" runUser="joe"> <Result outcome="passed" /> </TestRun>
The following are my inputs.conf and props.conf for data ingestion:
[monitor://\\MyServer\Results\Splunk\*.xml] disabled = false sourcetype = xml_test
[xml_test] TRUNCATE = 1000000 KV_MODE = xml LINE_BREAKER = (</TestRun>) ###Last element of the XML file MAX_TIMESTAMP_LOOKAHEAD = 150 NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false
The following is the search that I am trying to get working:
sourcetype="xml_test" | xpath outfield=myresult /TestRun/Result/@outcome field=_raw default=broken | table myresult
I am expecting a table with a single entry of "passed".
However, thee table contains the entry "broken" due to the usage of the default parameter.
I am using the latest version of Splunk Light 6.2.5.
I have read the official xpath documentation for Splunk and my sample is just a simple.
Does anyone have any advice as to what I have missed or why the xpath search comment is not working as expected?
I think it's a problem with your
LINEBREAKER. From the docs:
The contents of the first capturing group are discarded, and will not be present in any event. Therefore, your event is not Valid XML.
LINE_BREAKER = </TestRun>([\r\n]+)
Restart, and try your search again.
This is strange. According to the documentation what you have stated should make sense, but for each event, the entire XML fragment was included as posted in the question - including the end TestRun tag.
It seems that the xpath search command in fundamentally broken out-of-the-box. It is very strange that no one has noticed this or how this passed Splunk's QA team. Following the advice from this Splunk Answer: http://answers.splunk.com/answers/213680/xpath-bug-default-value-always-returned.html I modified the xpath.py script to add and remove the following lines:
# make event value valid xml myxml = "<data>%s</data>" % myxml
result[outfield] = values added = True
The command now works as expected.