Hi,
I have added a directory full of following xml files into Splunk:
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="MeasDataCollection.xsl" ?>
<!DOCTYPE mdc SYSTEM "MeasDataCollection.dtd">
<mdc xmlns:HTML="http://www.w3.org/TR/REC-xml">
<mfh>
<ffv>5</ffv>
<sn>DC=mars.com,g3SubNetwork=US,g3ManagedElement=USHSS01</sn>
<st>Netio</st>
...
I would like to print stats or use a chart based upon the /mdc/mfh/st element in the xml files. These files are from multiple sources, and have different "st" values. Here is what I have so far in my search string:
sourcetype="xml" | xpath "/mdc/mfh/st" outfield=st default="hello_world" | chart count(st) AS Platform by type
However, all I see as output is a table with "text/xsl" and "2" - ie. 2 results. I am expected something like "Netio" and "2". It seems like the xpath expression is not working? Any ideas? Is there a simple way to just print all the outfield values in plain text? Thanks in advance.
give right pathin source and append this code
|xmlkv|xpath "//mdc/mfh/st" outfield=st | stats values(st)
Could you paste a complete sample of XML or a pastebin link to it please?