How to rename XML field name into shorter name ?

sieutruc · ‎11-20-2012

Hello,

I get difficult when manipulating XML field name, if i use like:

sourcetype="test_xml_as" | table content_table.table2{@BUSINESS_ENTITY_1}

It gave me desired result,

but if i use rename function as:

sourcetype="test_xml_as" | rename content_table.table2 as test | table test{@BUSINESS_ENTITY_1}

This search hasn't any result. The reason that i want to use rename is to reduce some internal XML field name that are very long.

So anyone can tell which function i should use to reduce XML field name ?

sbsbb · ‎04-16-2013

For that you have to use spath...
You can spath a specific element, and then with a pipe make a second spath...

Spath input=input_field output=output_field path="path.to.my.container" | spath input=ouputfield path=path.into.my.container

Or simply the second spath without parameter will return all values in fields...

alacercogitatus · ‎11-20-2012

You can use xpath to take a really long path and simplify it to a single field.

Try This:

sourcetype="text_xml_as"|xpath outfield=test "content_table.table2{@BUSINESS_ENTITY_1}"|table test

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Xpath

sieutruc · ‎11-20-2012

i tested it, it doesn't work , 😞

sourcetype=text_xml_as|xpath outfield=test "//content_table/table2"|table test{@BUSINESS_ENTITY_1}

alacercogitatus · ‎11-20-2012

I believe it can be done in same way, but haven't tested it. sourcetype=text_xml_as|xpath outfield=test "content_table.table2"|table test{@BUSINESS_ENTITY_1}

sieutruc · ‎11-20-2012

What i mean is to reduce content_table.table2 to only one field and use it to reference to its children field or its properties.

For example:

test:=content_table.table2

test{@BUSINESS_ENTITY_1} gives a result

How to rename XML field name into shorter name ?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability