Splunk Search

how to apply xmlkv for result of other query

sdaruna
Explorer

Hi,
I have huge xml and i have written a query to break the xml.

Let me explain with small example ( though i am doing this on a bigger file, i am showing this for understanding)

My main xml:

<Head>
    <Doc>
        <node>{data..}</node>
        <node>{data..}</node>
    </Doc>
    <Doc>
        <node>{data..}</node>
        <node>{data..}</node>
    </Doc>
    <Doc>   
        <node>{data..}</node>
    </Doc>
</Head>

I have written query to get the xml nodes. Now the results will be like this.
My query is like this:

index = "<index>" | xmlkv | spath output=node path=<MY_XPATH> | mvexpand node |table node

After that, results would look like below.

<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>

Now, How can i apply xmlkv to get the data out of the results above.?
i do not want to apply it on actual xml, as it is huge and do not need all the data.

Thank You,
Regards,
Srini.

Tags (1)
0 Karma

javiergn
Super Champion

Hi,

I don't have access to an instance of Splunk right now but would the following maybe work for you?

Your query above
| spath input=node

Regards,
J

0 Karma

sdaruna
Explorer

Hi Javier,

No that is not what i want. I want to apply xmlkv on the results of the search, so that i can get the data directly from the broken xml.

0 Karma

javiergn
Super Champion

Hi,

Still confused by what you are trying to achieve. Take a look at this:

| stats count | fields - count
| eval myxml = "
  <Head>
     <Doc>
         <node>{data..}</node>
         <node>{data..}</node>
     </Doc>
     <Doc>
         <node>{data..}</node>
         <node>{data..}</node>
     </Doc>
     <Doc>    
         <node>{data..}</node>
     </Doc>
  </Head>
"
| spath input=myxml path=Head.Doc.node output=data
| fields - myxml
| mvexpand data
| xmlkv data

Output:

data
{data..}
{data..}
{data..}
{data..}
{data..} 

Note you can use either "xmlkv data" or "spath input=data" depending on how your data looks like.

Isn't that what you are trying to achieve?

0 Karma

somesoni2
Revered Legend

Well, does spath is not giving you the fields from the xml inside node tags??

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...