Dashboards & Visualizations

How do you search with the xpath command in an XML file?

faribole
Path Finder

I would like to extract the text of tag3 in xml file like that :

alt text

When i search the texte tag2 it's ok

mysearch | xpath "//tag1/tag2/@name" output=name | chart count by name

What is the syntax of request to extract the text of tag3 ?

None of those searches are OK

mysearch | xpath "//tag1/tag2/tag3" output=text | chart count by text

or

mysearch | xpath "//tag1/tag2/tag3" outfield=text | chart count by text

Thanks for your help

0 Karma

woodcock
Esteemed Legend

Why not just use spath like this:

|makeresults | eval _raw="<tag1><tag2 name=\"TEXTE\"><tag3>TEXTE OF MESSAGE</tag3></tag2></tag1>"
| spath

This gives you these:

_raw                                                                   _time                 tag1.tag2.tag3     tag1.tag2{@name}
<tag1><tag2 name="TEXTE"><tag3>TEXTE OF MESSAGE</tag3></tag2></tag1>   2018-12-08 15:19:37   TEXTE OF MESSAGE   TEXTE
0 Karma

tom_frotscher
Builder

Hi,

when i try this with my run everywhere example, everything works as expected. Maybe your xml is not correctly? For example the tags are not closed correctly? Also, the option is called outfield, not output.

Here is the example, try your self:

| makeresults | eval _raw="<tag1><tag2 name=\"foo\"><tag3>Test 123</tag3></tag2></tag1>" | xpath "//tag1/tag2/tag3" outfield=value
0 Karma

prakash007
Builder

Did you try using xmlkv in your search

 mysearch | xmlkv | chart count by name

you could also insert xmlkv as a search-time extraction on your search head props.conf 
[sourcetype]
KV_MODE = xml 

http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Xmlkv

0 Karma

493669
Super Champion

IF tag3 is fixed then you can try simple regex like-

|rex "<tag3>(?<TEXT>[^<]+)"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...