Splunk Cloud Platform

Search Reference

xpath

Description

Extracts the xpath value from field and sets the outfield attribute.

Syntax

xpath [outfield=<field>] <xpath-string> [field=<field>] [default=<string>]

Required arguments

xpath-string
Syntax: <string>
Description: Specifies the XPath reference.

Optional arguments

field
Syntax: field=<field>
Description: The field to find and extract the referenced xpath value from.
Default: _raw
outfield
Syntax: outfield=<field>
Description: The field to write, or output, the xpath value to.
Default: xpath
default
Syntax: default=<string>
Description: If the attribute referenced in xpath doesn't exist, this specifies what to write to the outfield. If this isn't defined, there is no default value.

Usage

The xpath command is a distributable streaming command. See Command types.

The xpath command supports the syntax described in the Python Standard Library 19.7.2.2. Supported XPath syntax.

Examples

1. Extract values from a single element in _raw XML events

You want to extract values from a single element in _raw XML events and write those values to a specific field.

The _raw XML events look like this:

   <foo>
      <bar nickname="spock">
      </bar>
   </foo>
   <foo>
      <bar nickname="scotty">
      </bar>
   </foo>
   <foo>
      <bar nickname="bones">
      </bar>
   </foo>

Extract the nickname values from _raw XML events. Output those values to the name field.

sourcetype="xml" | xpath outfield=name "//bar/@nickname"

2. Extract multiple values from _raw XML events

Extract multiple values from _raw XML events

The _raw XML events look like this:

   <DataSet xmlns="">
        <identity_id>3017669</identity_id>
        <instrument_id>912383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>BARC</sname>
        <currency_code>USA</currency_code>
   </DataSet> 

   <DataSet xmlns="">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>

Extract the values from the identity_id element from the _raw XML events:

... | xpath outfield=identity_id "//DataSet/identity_id"

This search returns two results: identity_id=3017669 and identity_id=1037669.


To extract a combination of two elements, sname with a specific value and instrument_id, use this search:

... | xpath outfield=instrument_id "//DataSet[sname='BARC']/instrument_id"

Because you specify sname='BARC', this search returns one result: instrument_id=912383KM1.

3. Testing extractions from XML events

You can use the makeresults command to test xpath extractions.

You must add field=xml to the end of your search. For example:

| makeresults
| eval xml="<DataSet xmlns=\"\">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>"
| xpath outfield=identity_id "//DataSet/identity_id" field=xml

See also

extract, kvform, multikv, rex, spath, xmlkv

Last modified on 22 July, 2020
xmlunescape   xyseries

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters