Splunk Dev

Can splunk Do this? XPATH - XML Node with more than one Attribute

lpolo
Motivator

Is this possible in Splunk?

I have a log event with XML format. One of the XML nodes has more than one attribute. Example:

My xpath expression to get all the attributes will be:

| xpath "//Boolean_Filters/@*"

but I am unable to get the value of all the attributes. How can I do it with Splunk?

I can get the value one by one example:

| xpath "//Boolean_Filters/@linear" outfield=linear.

Thanks.

Tags (1)

lpolo
Motivator

Splunk can do it without any problem.
In my case, Splunk was failing because my events were mal-form XML instances. As a result, I could not aggregate the result set with the stats function after the result set. Like for example:

| xpath "//Boolean_Filters/@* outfield="values"|stats count by values

so I used this work-around:

| xpath "//Boolean_Filters/@* outfield="values"|table linear non_linear offset

Or this one:

| xpath "//Boolean_Filters/@* outfield="values"|
stats sum(eval(if(linear="true",1,0))) as Linear_Count
sum(eval(if(non_linear="true",1,0))) as non_linear_Count
sum(eval(if(offset="true",1,0))) as offset_Count

Cheers,
Lp
Thanks,
Lp

Thanks,
Lp

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...