Can splunk Do this? XPATH - XML Node with more tha...

lpolo · ‎01-09-2012

Is this possible in Splunk?

I have a log event with XML format. One of the XML nodes has more than one attribute. Example:

My xpath expression to get all the attributes will be:

| xpath "//Boolean_Filters/@*"

but I am unable to get the value of all the attributes. How can I do it with Splunk?

I can get the value one by one example:

| xpath "//Boolean_Filters/@linear" outfield=linear.

Thanks.

lpolo · ‎01-19-2012

Splunk can do it without any problem.
In my case, Splunk was failing because my events were mal-form XML instances. As a result, I could not aggregate the result set with the stats function after the result set. Like for example:

| xpath "//Boolean_Filters/@* outfield="values"|stats count by values

so I used this work-around:

| xpath "//Boolean_Filters/@* outfield="values"|table linear non_linear offset

Or this one:

| xpath "//Boolean_Filters/@* outfield="values"|
stats sum(eval(if(linear="true",1,0))) as Linear_Count
sum(eval(if(non_linear="true",1,0))) as non_linear_Count
sum(eval(if(offset="true",1,0))) as offset_Count

Cheers,
Lp
Thanks,
Lp

Thanks,
Lp

Can splunk Do this? XPATH - XML Node with more than one Attribute

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...