Hi,
I have huge xml and i have written a query to break the xml.
Let me explain with small example ( though i am doing this on a bigger file, i am showing this for understanding)
My main xml:
<Head>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
</Doc>
</Head>
I have written query to get the xml nodes. Now the results will be like this.
My query is like this:
index = "<index>" | xmlkv | spath output=node path=<MY_XPATH> | mvexpand node |table node
After that, results would look like below.
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
Now, How can i apply xmlkv to get the data out of the results above.?
i do not want to apply it on actual xml, as it is huge and do not need all the data.
Thank You,
Regards,
Srini.
Hi,
I don't have access to an instance of Splunk right now but would the following maybe work for you?
Your query above
| spath input=node
Regards,
J
Hi Javier,
No that is not what i want. I want to apply xmlkv on the results of the search, so that i can get the data directly from the broken xml.
Hi,
Still confused by what you are trying to achieve. Take a look at this:
| stats count | fields - count
| eval myxml = "
<Head>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
</Doc>
</Head>
"
| spath input=myxml path=Head.Doc.node output=data
| fields - myxml
| mvexpand data
| xmlkv data
Output:
data
{data..}
{data..}
{data..}
{data..}
{data..}
Note you can use either "xmlkv data" or "spath input=data" depending on how your data looks like.
Isn't that what you are trying to achieve?
Well, does spath is not giving you the fields from the xml inside node
tags??