Solved: spath vs xpath parse xml

indeed_2000 · ‎10-03-2021

Hi

i have xml file like this, how can i table it with xpath or spath?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<error-codes>
<error-code code="000" message="Exceeded" severity="1" InfoCode="0000" action="" description=""/>
<error-code code="001" message="Not Found" severity="1" InfoCode="0000" action="" description=" nope"/>
</error-codes>

</info>

excpected output:

.... | table code message severity InfoCode action description

ITWhisperer · ‎10-03-2021

Firstly split error-codes into separate events, then extract all the field attributes, then create new fields based on the attribute name

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<info xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<error-codes>
<error-code code=\"000\" message=\"Exceeded\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\"\"/>
<error-code code=\"001\" message=\"Not Found\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\" nope\"/>
</error-codes>

</info>"



| spath path="info.error-codes" output=errorcodes
| eval _raw=errorcodes
| multikv noheader=t
| table _raw
| spath
| foreach "error-code{@*}"
    [| eval _name="<<MATCHSEG1>>"
    | eval {_name}='<<FIELD>>']
| rename error-code* as _error-code*
| table code message severity InfoCode  action description

View solution in original post

ITWhisperer · ‎10-03-2021

Firstly split error-codes into separate events, then extract all the field attributes, then create new fields based on the attribute name

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<info xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<error-codes>
<error-code code=\"000\" message=\"Exceeded\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\"\"/>
<error-code code=\"001\" message=\"Not Found\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\" nope\"/>
</error-codes>

</info>"



| spath path="info.error-codes" output=errorcodes
| eval _raw=errorcodes
| multikv noheader=t
| table _raw
| spath
| foreach "error-code{@*}"
    [| eval _name="<<MATCHSEG1>>"
    | eval {_name}='<<FIELD>>']
| rename error-code* as _error-code*
| table code message severity InfoCode  action description

indeed_2000 · ‎10-03-2021

@ITWhisperer Thank you for answer

i can see it successfuly extract fields from xml file, when i run this spl ....| table _raw

but no result when I run this ....| table code message severity InfoCode action description

here is the full spl

index="my-index" source="/home/file.xml"
| spath path="info.error-codes" output=errorcodes
| eval _raw=errorcodes
| multikv noheader=t
| table _raw
| spath
| foreach "error-code{@*}"
    [| eval _name="<<MATCHSEG1>>"
    | eval {_name}='<<FIELD>>']
| rename error-code* as _error-code*
| table code message severity InfoCode  action description

ITWhisperer · ‎10-03-2021

You haven't got a closing double quote around your index name?

indeed_2000 · ‎10-03-2021

when i copy here accidentally removed, corect spl have double quotes.

I modify last reply.

any other idea?

ITWhisperer · ‎10-03-2021

What do you get without the last table line?

indeed_2000 · ‎10-03-2021

after some workaround it work,I try to remove file and add with custom source type. finally table return result.

Thanks,

spath vs xpath parse xml

eval

field extraction

fields

lookup

regex

table

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk