Splunk Search

xpath command splits the result string into single-character fields

AndreyRyabov
New Member

Hi. There is a query that retrieves the name of XML element. It doesn't work as intended. The expected result for the example below: SOAPMSG = registerOrder, but splunk generates SOAPMSG=r | SOAPMSG=e | SOAPMSG=g | SOAPMSG=i | SOAPMSG=s | SOAPMSG=t | SOAPMSG=e | SOAPMSG=r | SOAPMSG=O | SOAPMSG=r | SOAPMSG=d | SOAPMSG=e | SOAPMSG=r

splunk query

xpath outfield=SOAPMSG "local-name(//*[local-name() = 'Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*)"

sample input

 2013-07-25 18:59:32,542 [qtp1674856179-1896] INFO  org.apache.cxf.interceptor.LoggingInInterceptor:? - Inbound Message
    ----------------------------
    ID: 706
    Address: /webservices/agent-ws
    Encoding: UTF-8
    Content-Type: text/xml; charset=UTF-8
    Headers: {content-type=[text/xml; charset=UTF-8], connection=[close], Host=[service.ruserv.com], Content-Length=[338], SOAPAction=[""], X-Forwarded-For=[1.1.1.1], User-Agent=[Apache CXF 2.5.2], Content-Type=[text/xml; charset=UTF-8], Accept=[*/*], Pragma=[no-cache], Cache-Control=[no-cache]}
    Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns1:registerOrder xmlns:ns1="http://service.ruserv.com/webservices/agent"><params><hash>5fe823b563dc024bea9c75661c13364b</hash><systemId>109</systemId><reservationNumber>VOZEUB</reservationNumber></params></ns1:registerOrder></soap:Body></soap:Envelope>
    -------------------------------------- - MDC=[PNR:, MDORDER:, XSYS:] 

result:

SOAPMSG=r | SOAPMSG=e | SOAPMSG=g | SOAPMSG=i | SOAPMSG=s | SOAPMSG=t | SOAPMSG=e | SOAPMSG=r | SOAPMSG=O | SOAPMSG=r | SOAPMSG=d | SOAPMSG=e | SOAPMSG=r

And this because script splunk/etc/apps/search/bin/xpath.py not considers case when xpath-expression returns string instead collection of elements.

                ...
                et = etree.parse(StringIO.StringIO(myxml))
                nodes = et.xpath(path)
                values = [tostr(node) for node in nodes]
                result[outfield] = values
                ...

Is this splunk error or I'm doing something wrong?

0 Karma

AndreyRyabov
New Member

I not found further variants and has committed fixes to the script splunk/etc/apps/search/bin/xpath.py

original script

            ...
            et = etree.parse(StringIO.StringIO(myxml))
            nodes = et.xpath(path)
            values = [tostr(node) for node in nodes]
            result[outfield] = values
            ...

fixed script

            ...
            et = etree.parse(StringIO.StringIO(myxml))
            nodes = et.xpath(path)
            if isinstance(nodes, str):
                values = nodes
            else:
                values = [tostr(node) for node in nodes]
            result[outfield] = values
            ...

After that the query started returns correct result

I hope developers will solve the problem in a future releases

0 Karma

AndreyRyabov
New Member

sample input posted

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This would probably be more productive if you could provide some sample input.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...