- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to apply xmlkv for result of other query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to apply xmlkv for result of other query
Hi,
I have huge xml and i have written a query to break the xml.
Let me explain with small example ( though i am doing this on a bigger file, i am showing this for understanding)
My main xml:
<Head>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
</Doc>
</Head>
I have written query to get the xml nodes. Now the results will be like this.
My query is like this:
index = "<index>" | xmlkv | spath output=node path=<MY_XPATH> | mvexpand node |table node
After that, results would look like below.
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
Now, How can i apply xmlkv to get the data out of the results above.?
i do not want to apply it on actual xml, as it is huge and do not need all the data.
Thank You,
Regards,
Srini.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I don't have access to an instance of Splunk right now but would the following maybe work for you?
Your query above
| spath input=node
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
No that is not what i want. I want to apply xmlkv on the results of the search, so that i can get the data directly from the broken xml.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Still confused by what you are trying to achieve. Take a look at this:
| stats count | fields - count
| eval myxml = "
<Head>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
</Doc>
</Head>
"
| spath input=myxml path=Head.Doc.node output=data
| fields - myxml
| mvexpand data
| xmlkv data
Output:
data
{data..}
{data..}
{data..}
{data..}
{data..}
Note you can use either "xmlkv data" or "spath input=data" depending on how your data looks like.
Isn't that what you are trying to achieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, does spath is not giving you the fields from the xml inside node tags??
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
