may i know if there is any new version of xmlutils app or another app that replace xmlutils
Something like this:
| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | xmlsplit field=b | xmlkvrecursive | stats count by b
Could be accomplished like this:
| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | stats count by x.b
Or if you really need the individual bits as rows in a table, you can use the expensive mvexpand...
| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | mvexpand x.b | table x.b x.b{@a}
ok many thanks for your support
mvexpand take So much memory and hard to use in large amount of logs
and regarding second SPL you here just choose count of x.b but i need to split each foo and bar in new event
There's no way xmlsplit is going to be more efficient than spath + mvexpand. Calling a python command is always going to be slower than using native commands.
Think about what you're doing with the output. If you're subsequently counting things in a later statement, then you're almost certainly better off using spath, then using stats/chart/timechart to count by the multi-value field created by spath.
xmlsplit is unique in that if you have deeply nested xml blocks that you need to treat as individual events, it might be your best answer. For instance, given
<x><y><b>foo</b></y><y><b>bar</b></y></x>
xmlsplit field=y
Would be difficult to do otherwise. But it's still not super efficient.
Using rex + mvexpand would be more efficient, but wouldn't work if your xml tags aren't unique at each level. Just to illustrate...
index=_internal | head 1000 | eval _raw="<x><y><b a=\"la\">foo</b></y><y><b>bar</b></y></x>" | spath | xmlsplit field=y
This search has completed and has returned 2,000 results by scanning 3,010 events in 3.573 seconds.
vs
index=_internal | head 1000 | eval _raw="<x><y><b a=\"la\">foo</b></y><y><b>bar</b></y></x>" | rex max_match=100 "(?<r><y>.*?</y>)" | mvexpand r | table r
This search has completed and has returned 2,000 results by scanning 2,973 events in 0.48 seconds.
So, that's about 7 times faster using the native commands.
Something like this:
| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | xmlsplit field=b | xmlkvrecursive | stats count by b
Could be accomplished like this:
| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | stats count by x.b
Or if you really need the individual bits as rows in a table, you can use the expensive mvexpand...
| stats count | eval _raw="<x><b a=\"la\">foo</b><b>bar</b></x>" | spath | mvexpand x.b | table x.b x.b{@a}
there is command in this app that not have corresponding functionality in spath such as xmlsplit
xmlutils is something I tossed together years ago. I'm updating it now for a security finding, but not adding any new functionality.
The spath command will do most of what these utils do, and in native code, so it should be much faster.