Clarification on xmlkv command

Jananee_iNautix · ‎05-23-2014

Hi,

I have a set of logs in xml format.Since the logs are xml formatted xmlkv command was used .As per the property of the log,the command creates fields as key value pairs from the logs.For example "Sw:Logicalname" is the field that splunk extracted based on the xmlkv command.When I wanted to perform maniputlations on that field using "eval" command,the following error was displayed
⚠ Error in 'eval' command: The operator at ':LogicalName' is invalid.

Can someone resolve this or suggest anyother idea to handle this

MuS · ‎05-23-2014

Hi Jananee_iNautix,

this is no problem of the xmlkv command, but a problem of your field name. Take this run everywhere command as example:

index=_internal earliest=-1m | head 1 | eval Foo:boo="my foo" | eval myFoo='Foo:boo' | table Foo:boo myFoo

this will work because I quoted the field name 'Foo:boo' and Splunk will no longer interpret the : as operator. Where as

index=_internal earliest=-1m | head 1 | eval Foo:boo="my foo" | eval myFoo=Foo:boo | table Foo:boo myFoo

will bring your error.

cheers, MuS

somesoni2 · ‎05-23-2014

Try this.

| stats count | eval _raw="<sw:Test><sw:Name>FirstName</sw:Name><sw:ID>123</sw:ID></sw:Test>" | xmlkv | eval "sw:Name"='sw:Name'+" LastName"

basically, use the fieldname within double qoutes on left side of the "=" (when referring to field) and use fieldname within single quotes on right side of "=" (when referring to value)

MuS · ‎05-23-2014

HeHe, I was typing for too long 😉

Clarification on xmlkv command

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases