Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- XML field extraction with spath
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4uramana4u
Explorer
01-14-2021
11:44 PM
eval FunctionalRef=spath(_raw,"n2:EvtMsg.Bd.BOEvt.Evt.DatElGrp{2}.DatEl.Val") -> I am getting two(2) values DHL5466256965140262WH3, DE4608089.
Instead I should get only DHL5466256965140262WH3. So this value is not static
XML Snippet:
<DatElGrp Cd="CommonGrp">
<DatEl>
<Cd>FunctionalRef</Cd>
<Val>DHL5466256965140262WH3</Val>
</DatEl>
<DatEl>
<Cd>DeclarantID</Cd>
<Val>DE4608089</Val>
</DatEl>
</DatElGrp>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-15-2021
05:27 AM
index=_internal | head 1 | fields _raw
| eval _raw="<DatElGrp Cd=\"CommonGrp\">
<DatEl>
<Cd>FunctionalRef</Cd>
<Val>DHL5466256965140262WH3</Val>
</DatEl>
<DatEl>
<Cd>DeclarantID</Cd>
<Val>DE4608089</Val>
</DatEl>
</DatElGrp>"
| spath DatElGrp.DatEl.Cd{1}
| spath DatElGrp.DatEl.Val{1}- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-15-2021
05:27 AM
index=_internal | head 1 | fields _raw
| eval _raw="<DatElGrp Cd=\"CommonGrp\">
<DatEl>
<Cd>FunctionalRef</Cd>
<Val>DHL5466256965140262WH3</Val>
</DatEl>
<DatEl>
<Cd>DeclarantID</Cd>
<Val>DE4608089</Val>
</DatEl>
</DatElGrp>"
| spath DatElGrp.DatEl.Cd{1}
| spath DatElGrp.DatEl.Val{1}- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4uramana4u
Explorer
01-15-2021
06:21 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-15-2021
04:44 AM
index=_internal | head 1 | fields _raw
| eval _raw="<DatElGrp Cd=\"CommonGrp\">
<DatEl>
<Cd>FunctionalRef</Cd>
<Val>DHL5466256965140262WH3</Val>
</DatEl>
<DatEl>
<Cd>DeclarantID</Cd>
<Val>DE4608089</Val>
</DatEl>
</DatElGrp>"
| spath
| rename DatElGrp{@Cd} as GrpCd, DatElGrp.* as *
| foreach DatEl.* [ eval <<FIELD>> = mvindex('<<FIELD>>' , 0)]
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
