- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to apply xmlkv for result of other query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to apply xmlkv for result of other query
Hi,
I have huge xml and i have written a query to break the xml.
Let me explain with small example ( though i am doing this on a bigger file, i am showing this for understanding)
My main xml:
<Head>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
</Doc>
</Head>
I have written query to get the xml nodes. Now the results will be like this.
My query is like this:
index = "<index>" | xmlkv | spath output=node path=<MY_XPATH> | mvexpand node |table node
After that, results would look like below.
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
<node>{data..}</node>
Now, How can i apply xmlkv to get the data out of the results above.?
i do not want to apply it on actual xml, as it is huge and do not need all the data.
Thank You,
Regards,
Srini.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I don't have access to an instance of Splunk right now but would the following maybe work for you?
Your query above
| spath input=node
Regards,
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javier,
No that is not what i want. I want to apply xmlkv on the results of the search, so that i can get the data directly from the broken xml.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Still confused by what you are trying to achieve. Take a look at this:
| stats count | fields - count
| eval myxml = "
<Head>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
<node>{data..}</node>
</Doc>
<Doc>
<node>{data..}</node>
</Doc>
</Head>
"
| spath input=myxml path=Head.Doc.node output=data
| fields - myxml
| mvexpand data
| xmlkv data
Output:
data
{data..}
{data..}
{data..}
{data..}
{data..}
Note you can use either "xmlkv data" or "spath input=data" depending on how your data looks like.
Isn't that what you are trying to achieve?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, does spath is not giving you the fields from the xml inside node tags??
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
