Hi!
I would like to use the xpath search command to extract my test results from daily XML files. I have created the following bare-bones proof-of-concept scenario in order to use the xpath command.
This is an example of my XML events. These are a single events/transactions:
<?xml version="1.0" encoding="UTF-8"?>
<TestRun id="7bfd7618-602a-4276-9f88-22c1d8bc630b" runUser="joe">
<Result outcome="passed" />
</TestRun>
The following are my inputs.conf and props.conf for data ingestion:
inputs.conf
[monitor://\\MyServer\Results\Splunk\*.xml]
disabled = false
sourcetype = xml_test
props.conf
[xml_test]
TRUNCATE = 1000000
KV_MODE = xml
LINE_BREAKER = (</TestRun>) ###Last element of the XML file
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
The following is the search that I am trying to get working:
sourcetype="xml_test" | xpath outfield=myresult /TestRun/Result/@outcome field=_raw default=broken | table myresult
I am expecting a table with a single entry of "passed".
However, thee table contains the entry "broken" due to the usage of the default parameter.
I am using the latest version of Splunk Light 6.2.5.
I have read the official xpath documentation for Splunk and my sample is just a simple.
Does anyone have any advice as to what I have missed or why the xpath search comment is not working as expected?
Thanks!
... View more