xpath
Description
Extracts the xpath value from field
and sets the outfield
attribute.
Syntax
xpath [outfield=<field>] <xpath-string> [field=<field>] [default=<string>]
Required arguments
- xpath-string
- Syntax: <string>
- Description: Specifies the XPath reference.
Optional arguments
- field
- Syntax: field=<field>
- Description: The field to find and extract the referenced
xpath
value from. - Default:
_raw
- outfield
- Syntax: outfield=<field>
- Description: The field to write, or output, the
xpath
value to. - Default:
xpath
- default
- Syntax: default=<string>
- Description: If the attribute referenced in
xpath
doesn't exist, this specifies what to write to theoutfield
. If this isn't defined, there is no default value.
Usage
The xpath
command is a distributable streaming command. See Command types.
The xpath
command supports the syntax described in the Python Standard Library 19.7.2.2. Supported XPath syntax.
Examples
1. Extract values from a single element in _raw
XML events
You want to extract values from a single element in _raw
XML events and write those values to a specific field.
The _raw
XML events look like this:
<foo> <bar nickname="spock"> </bar> </foo> <foo> <bar nickname="scotty"> </bar> </foo> <foo> <bar nickname="bones"> </bar> </foo>
Extract the nickname
values from _raw
XML events. Output those values to the name
field.
sourcetype="xml" | xpath outfield=name "//bar/@nickname"
2. Extract multiple values from _raw
XML events
Extract multiple values from _raw
XML events
The _raw
XML events look like this:
<DataSet xmlns=""> <identity_id>3017669</identity_id> <instrument_id>912383KM1</instrument_id> <transaction_code>SEL</transaction_code> <sname>BARC</sname> <currency_code>USA</currency_code> </DataSet> <DataSet xmlns=""> <identity_id>1037669</identity_id> <instrument_id>219383KM1</instrument_id> <transaction_code>SEL</transaction_code> <sname>TARC</sname> <currency_code>USA</currency_code> </DataSet>
Extract the values from the identity_id
element from the _raw
XML events:
... | xpath outfield=identity_id "//DataSet/identity_id"
This search returns two results: identity_id=3017669
and identity_id=1037669
.
To extract a combination of two elements, sname
with a specific value and instrument_id
, use this search:
... | xpath outfield=instrument_id "//DataSet[sname='BARC']/instrument_id"
Because you specify sname='BARC'
, this search returns one result: instrument_id=912383KM1
.
3. Testing extractions from XML
events
You can use the makeresults
command to test xpath
extractions.
You must add field=xml
to the end of your search. For example:
| makeresults | eval xml="<DataSet xmlns=\"\"> <identity_id>1037669</identity_id> <instrument_id>219383KM1</instrument_id> <transaction_code>SEL</transaction_code> <sname>TARC</sname> <currency_code>USA</currency_code> </DataSet>" | xpath outfield=identity_id "//DataSet/identity_id" field=xml
See also
xmlunescape | xyseries |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2
Feedback submitted, thanks!