Re: Xpath command is not giving result

jayadevanepSPL · ‎09-12-2016

I have a XML embedded in another XML with escape characters

<Audit>
<tracker>XXXXX123</tracker>
<Message>&lt?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>&ltABCxmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:qu=&quot;http://qqqq.xsd&quot; xmlns:v1=&quot;http://www&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;>
&ltRM>
&ltCode>111&lt/Code>
&ltState>Avilable&lt/State>
&lt/RM> 
&ltRM>
&ltCode>222&lt/Code>
&ltState>Not avilable&lt/State>
&lt/RM>
&ltRM>
&ltCode>333&lt/Code>
&ltState>Not sure&lt/State>
&lt/RM>
&lt/ABC>
</Message>
</Audit>

I am suing below command to extract and convert the embedded XML to correct format. This page is not allow to how escape characters so removed the ";"

| rex "\<Message\>(?<Message>.*)\<\/Message\>" 
| eval Message1 = replace (Message,"&lt","<")
| eval Message2 = replace (Message1,"&gt",">")
| eval Message3 = replace (Message2,"&quot","\"")

Message3 giving below output

<?xml version="1.0" encoding="UTF-8"?><ABC xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:qu="http://qqqq.xsd" xmlns:v1="http://www" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<RM>
<Code>111</Code>
<State>Avilable</State>
</RM>
<RM>
<Code>222</Code>
<State>Not avilable</State>
</RM>
<RM>
<Code>333</Code>
<State>Not sure</State>
</RM>
</ABC>

Now I want to get RM in to one veriable if state is = “Not available”. I am using below command for that.

| xpath field=Message3  "// ABC / RM [State=' Not available ']" outfield=NAV

But NAV is not giving any result. Can you please help to fix the issue ?

somesoni2 · ‎09-12-2016

The value based filter is not supported in Splunk's spath. (see the spath documentation for supported functionalities). Something like this would work for your requirement (run anywhere example, first few lines are just to generate sample data).

| gentimes start=-1 | eval _raw="<Audit>
 <tracker>XXXXX123</tracker>
 <Message>&lt?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>&ltABCxmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:qu=&quot;http://qqqq.xsd&quot; xmlns:v1=&quot;http://www&quot; xmlns:xsd=&quot;http://www.w3.org/2001/XMLSchema&quot;>
 &ltRM>
 &ltCode>111&lt/Code>
 &ltState>Avilable&lt/State>
 &lt/RM>    
 &ltRM>
 &ltCode>222&lt/Code>
 &ltState>Not available&lt/State>
 &lt/RM>
 &ltRM>
 &ltCode>333&lt/Code>
 &ltState>Not sure&lt/State>
 &lt/RM>
 &lt/ABC>
 </Message>
 </Audit>" | table _raw | spath | rename Audit.Message as Message | eval Message1 = replace (Message,"&lt","<")
 | eval Message1 = replace (Message1,"&gt",">")
 | eval Message3 = replace (Message1,"&quot","\"") | eval Message4=replace(Message3,"^([^\>]+)","") | eval Message5=replace(Message4,"^\>([^\>]+)\>","") | table Message5 | spath input=Message5 | eval temp=mvzip('RM.Code','RM.State',"#") | eval temp=mvfilter(match(temp,"#Not available"))

jayadevanepSPL · ‎09-12-2016

Is this because of the presence of name space ?

jayadevanepSPL · ‎09-12-2016

I am using splunk version 6.3.1

sundareshr · ‎09-12-2016

Have you tried spath? http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Spath

jayadevanepSPL · ‎09-12-2016

but it seems there is no condition i can put for Spath .. Can I ?

sundareshr · ‎09-12-2016

See if this helps

https://answers.splunk.com/answers/389697/how-to-extract-json-data-based-on-a-specific-value.html

Xpath command is not giving result

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation