Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can splunk Do this? XPATH - XML Node with more than one Attribute

lpolo
Motivator
‎01-09-2012 07:37 AM

Is this possible in Splunk?

I have a log event with XML format. One of the XML nodes has more than one attribute. Example:

My xpath expression to get all the attributes will be:

| xpath "//Boolean_Filters/@*"

but I am unable to get the value of all the attributes. How can I do it with Splunk?

I can get the value one by one example:

| xpath "//Boolean_Filters/@linear" outfield=linear.

Thanks.

Tags (1)
Reply

lpolo
Motivator
‎01-19-2012 10:28 AM

Splunk can do it without any problem.
In my case, Splunk was failing because my events were mal-form XML instances. As a result, I could not aggregate the result set with the stats function after the result set. Like for example:

| xpath "//Boolean_Filters/@* outfield="values"|stats count by values

so I used this work-around:

| xpath "//Boolean_Filters/@* outfield="values"|table linear non_linear offset

Or this one:

| xpath "//Boolean_Filters/@* outfield="values"|
stats sum(eval(if(linear="true",1,0))) as Linear_Count
sum(eval(if(non_linear="true",1,0))) as non_linear_Count
sum(eval(if(offset="true",1,0))) as offset_Count

Cheers,
Lp
Thanks,
Lp

Thanks,
Lp

Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...