Splunk Search

spath vs xpath parse xml

indeed_2000
Motivator

Hi

i have xml file like this, how can i table it with xpath or spath?

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<info xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<error-codes>
<error-code code="000" message="Exceeded" severity="1" InfoCode="0000" action="" description=""/>
<error-code code="001" message="Not Found" severity="1" InfoCode="0000" action="" description=" nope"/>
</error-codes>

</info>

 

 

excpected output:

....  | table code message severity InfoCode  action description

Labels (6)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Firstly split error-codes into separate events, then extract all the field attributes, then create new fields based on the attribute name

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<info xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<error-codes>
<error-code code=\"000\" message=\"Exceeded\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\"\"/>
<error-code code=\"001\" message=\"Not Found\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\" nope\"/>
</error-codes>

</info>"



| spath path="info.error-codes" output=errorcodes
| eval _raw=errorcodes
| multikv noheader=t
| table _raw
| spath
| foreach "error-code{@*}"
    [| eval _name="<<MATCHSEG1>>"
    | eval {_name}='<<FIELD>>']
| rename error-code* as _error-code*
| table code message severity InfoCode  action description

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Firstly split error-codes into separate events, then extract all the field attributes, then create new fields based on the attribute name

| makeresults 
| eval _raw="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<info xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<error-codes>
<error-code code=\"000\" message=\"Exceeded\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\"\"/>
<error-code code=\"001\" message=\"Not Found\" severity=\"1\" InfoCode=\"0000\" action=\"\" description=\" nope\"/>
</error-codes>

</info>"



| spath path="info.error-codes" output=errorcodes
| eval _raw=errorcodes
| multikv noheader=t
| table _raw
| spath
| foreach "error-code{@*}"
    [| eval _name="<<MATCHSEG1>>"
    | eval {_name}='<<FIELD>>']
| rename error-code* as _error-code*
| table code message severity InfoCode  action description

indeed_2000
Motivator

@ITWhisperer Thank you for answer

i can see it successfuly extract fields from xml file, when i run this spl  ....| table _raw

but no result when I run this   ....|  table code message severity InfoCode action description

here is the full spl

 

 

 

index="my-index" source="/home/file.xml"
| spath path="info.error-codes" output=errorcodes
| eval _raw=errorcodes
| multikv noheader=t
| table _raw
| spath
| foreach "error-code{@*}"
    [| eval _name="<<MATCHSEG1>>"
    | eval {_name}='<<FIELD>>']
| rename error-code* as _error-code*
| table code message severity InfoCode  action description

 

 

 

any idea?
Thanks
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You haven't got a closing double quote around your index name?

0 Karma

indeed_2000
Motivator

when i copy here accidentally removed, corect spl have double quotes.

I modify last reply.

any other idea?

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you get without the last table line?

0 Karma

indeed_2000
Motivator

after some workaround it work,I try to remove file and add with custom source type. finally table return result.

Thanks,

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...