Given an entry like below, my goal is to pull all the "fieldName" parameters, essentially recreating the "where" clause being submitted to the database. I would want the output to be along the lines of
_time RID fieldName#1 fieldName#2 fieldName...., Or
2013-01-14 07:32:13.182 | 1358177533172-2801682 | Process Date | Applied Amount
2013-01-14 07:32:13,182 INFO [ndler-RMICallHandler-4364] RID=1358177533172-2801682 c.r.t.services.AbstractServiceWsImpl -
Any suggestions ?
spath will munch your XML into splunk fields.
i.e.
... | spath path=searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname output=fieldnames
| eval fieldnames=mvjoin(fieldnames,",")
So we're saying, in the xml, get all the instances of searchrequest.callinguserid.applicationid.searchparams.searchparam.fieldname, and put it in a field called fieldnames.
This is a multivalue field, so we join the values with a ','
what happens if you just run it through | spath
?
I used the following:
... | spath path=searchRequest.callingUserId.applicationId.searchParams.searchParam.fieldName output=fieldnames |eval fieldnames=mvjoin(fieldnames,",")
As I read the documentation on spath the letter case is important (or not, but I tried) but even this did not pull the fields as I would of hoped. As a matter of fact no fields were identified.