Hello brother,
first you should extract the xml from the event add this line to the props.conf
EXTRACT-xml=(?i)(?P<xml>\<\sevn.+)
now you should use spath and specify the input field as xml
<your search>| spath input=xml
you can find your results in the field name {@evn}.{@att}.{@it}. you can also add path={@evn}.{@att}.{@it} to spath command
the search command you are looking for
use the below search if you did not add the EXTRACT to the props.conf
index=" " sourcetype=" " | rex field=_raw "(?i)(?P<xml>\<\sevn.+)" | spath input=xml | stats sum({@evn}.{@att}.{@it})
use the below search if you have added the EXTRACT to the props.conf
index=" " sourcetype=" " | spath input=xml | stats sum({@evn}.{@att}.{@it})
happy splunking,
yours,
eashwar raghunathan
consider voting if it helped you, thanks...
... View more