Splunk Search

how to apply xmlkv for result of other query

sdaruna
Explorer

Hi,
I have huge xml and i have written a query to break the xml.

Let me explain with small example ( though i am doing this on a bigger file, i am showing this for understanding)

My main xml:

<Head>
    <Doc>
        <node>{data..}</node>
        <node>{data..}</node>
    </Doc>
    <Doc>
        <node>{data..}</node>
        <node>{data..}</node>
    </Doc>
    <Doc>   
        <node>{data..}</node>
    </Doc>
</Head>

I have written query to get the xml nodes. Now the results will be like this.
My query is like this:

index = "<index>" | xmlkv | spath output=node path=<MY_XPATH> | mvexpand node |table node

After that, results would look like below.

<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>

Now, How can i apply xmlkv to get the data out of the results above.?
i do not want to apply it on actual xml, as it is huge and do not need all the data.

Thank You,
Regards,
Srini.

Tags (1)
0 Karma

javiergn
Super Champion

Hi,

I don't have access to an instance of Splunk right now but would the following maybe work for you?

Your query above
| spath input=node

Regards,
J

0 Karma

sdaruna
Explorer

Hi Javier,

No that is not what i want. I want to apply xmlkv on the results of the search, so that i can get the data directly from the broken xml.

0 Karma

javiergn
Super Champion

Hi,

Still confused by what you are trying to achieve. Take a look at this:

| stats count | fields - count
| eval myxml = "
  <Head>
     <Doc>
         <node>{data..}</node>
         <node>{data..}</node>
     </Doc>
     <Doc>
         <node>{data..}</node>
         <node>{data..}</node>
     </Doc>
     <Doc>    
         <node>{data..}</node>
     </Doc>
  </Head>
"
| spath input=myxml path=Head.Doc.node output=data
| fields - myxml
| mvexpand data
| xmlkv data

Output:

data
{data..}
{data..}
{data..}
{data..}
{data..} 

Note you can use either "xmlkv data" or "spath input=data" depending on how your data looks like.

Isn't that what you are trying to achieve?

0 Karma

somesoni2
Revered Legend

Well, does spath is not giving you the fields from the xml inside node tags??

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...