It seems that the xpath search command in fundamentally broken out-of-the-box. It is very strange that no one has noticed this or how this passed Splunk's QA team. Following the advice from this Splunk Answer: http://answers.splunk.com/answers/213680/xpath-bug-default-value-always-returned.html I modified the xpath.py script to add and remove the following lines: Removed: # make event value valid xml myxml = "<data>%s</data>" % myxml Added: result[outfield] = values added = True The command now works as expected. ... View more