Documentation > Splunk > Search Reference > xpath

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

xpath

Contents

xpath

Synopsis

Extracts the xpath value from field and sets the outfield attribute.

Syntax

xpath [outfield=<field>] <string:xpath> [field=<field>] [default=<string>]

Required arguments

xpath
Syntax: <string>
Description: Specify the XPath reference.

Optional arguments

field
Syntax: field=<field>
Description: The field to find and extract the referenced xpath value. Defaults to _raw.
outfield
Syntax: outfield=<field>
Description: The field to write the xpath value. Defaults to xpath.
default
Syntax: default=<string>
Description: If the attribute referenced in xpath doesn't exist, this specifies what to write to outfield. If this isn't defined, there is no default value.

Description

Sets the value of outfield to the value of the xpath applied to field.

Examples

Example 1: Extract the name value from _raw XML events, which might look like this: 

<foo>
<bar name="spock">
</bar>
</foo>
sourcetype="xml" | xpath outfield=name "//bar/@name"

Example 2: Extract the identity_id and instrument_id from the _raw XML events: 

   <DataSet xmlns="">
        <identity_id>3017669</identity_id>
        <instrument_id>912383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>BARC</sname>
        <currency_code>USA</currency_code>
   </DataSet> 

   <DataSet xmlns="">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>
... | xpath outfield=identity_id "//DataSet/identity_id"

This search will return two results: identity_id=3017669 and identity_id=1037669.

... | xpath outfield=instrument_id "//DataSet[sname=\"BARC\"]/instrument_id"

Because you specify sname="BARC", this search will return one result: instrument_id=912383KM1.

See also

extract, kvform, multikv, rex, spath, xmlkv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the xpath command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Xpath"

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


Comments

No problem Sophy, thanks for pointing me to spath - will take a look at it

Izakw
July 25, 2012

Izakw, thanks! i corrected the examples. you may also want to check out the spath command for XML and JSON field extraction.

Sophy, Splunker
July 24, 2012

Tried on Splunk 4.3.3 , it didn't work as documented. We had to specify the outfield= before the XPath expression:

This works: xpath outfield=identity_id "//DataSet/identity_id"
This doesn't work: xpath "//DataSet/identity_id" outfield=identity_id

Izakw
July 24, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!