xpath

xpath

Synopsis

Extracts the xpath value from field and sets the outfield attribute.

Syntax

xpath <string:xpath> [field=<field>] [outfield=<field>] [default=<string>]

Required arguments

xpath

Syntax: <string>

Description: Specify the XPath reference.

Optional arguments

field

Syntax: field=<field>

Description: The field to find and extract the referenced xpath value. Defaults to _raw.

outfield

Syntax: outfield=<field>

Description: The field to write the xpath value. Defaults to xpath.

default

Syntax: default=<string>

Description: If the attribute referenced in xpath doesn't exist, this specifies what to write to outfield. If this isn't defined, there is no default value.

Description

Sets the value of outfield to the value of the xpath applied to field.

Examples

Example 1: Extract the name value from _raw XML events, which might look like this:

<foo>
<bar name="spock">
</bar>
</foo>

Example 2: Extract the identity_id and instrument_id from the _raw XML events:

   <DataSet xmlns="">
        <identity_id>3017669</identity_id>
        <instrument_id>912383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>BARC</sname>
        <currency_code>USA</currency_code>
   </DataSet> 

   <DataSet xmlns="">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>

This search will return two results: identity_id=3017669 and identity_id=1037669.

Because you specify sname="BARC", this search will return one result: instrument_id=912383KM1.

See also

extract, kvform, multikv, rex, xmlkv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the xpath command.

• Was this topic useful?
• Post a comment