Splunk Search

how to apply xmlkv for result of other query

sdaruna
Explorer

Hi,
I have huge xml and i have written a query to break the xml.

Let me explain with small example ( though i am doing this on a bigger file, i am showing this for understanding)

My main xml:

<Head>
    <Doc>
        <node>{data..}</node>
        <node>{data..}</node>
    </Doc>
    <Doc>
        <node>{data..}</node>
        <node>{data..}</node>
    </Doc>
    <Doc>   
        <node>{data..}</node>
    </Doc>
</Head>

I have written query to get the xml nodes. Now the results will be like this.
My query is like this:

index = "<index>" | xmlkv | spath output=node path=<MY_XPATH> | mvexpand node |table node

After that, results would look like below.

<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>

Now, How can i apply xmlkv to get the data out of the results above.?
i do not want to apply it on actual xml, as it is huge and do not need all the data.

Thank You,
Regards,
Srini.

Tags (1)
0 Karma

javiergn
Super Champion

Hi,

I don't have access to an instance of Splunk right now but would the following maybe work for you?

Your query above
| spath input=node

Regards,
J

0 Karma

sdaruna
Explorer

Hi Javier,

No that is not what i want. I want to apply xmlkv on the results of the search, so that i can get the data directly from the broken xml.

0 Karma

javiergn
Super Champion

Hi,

Still confused by what you are trying to achieve. Take a look at this:

| stats count | fields - count
| eval myxml = "
  <Head>
     <Doc>
         <node>{data..}</node>
         <node>{data..}</node>
     </Doc>
     <Doc>
         <node>{data..}</node>
         <node>{data..}</node>
     </Doc>
     <Doc>    
         <node>{data..}</node>
     </Doc>
  </Head>
"
| spath input=myxml path=Head.Doc.node output=data
| fields - myxml
| mvexpand data
| xmlkv data

Output:

data
{data..}
{data..}
{data..}
{data..}
{data..} 

Note you can use either "xmlkv data" or "spath input=data" depending on how your data looks like.

Isn't that what you are trying to achieve?

0 Karma

somesoni2
Revered Legend

Well, does spath is not giving you the fields from the xml inside node tags??

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...