Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

xpath

Description

Extracts the xpath value from field and sets the outfield attribute.

Syntax

xpath [outfield=<field>] <xpath-string> [field=<field>] [default=<string>]

Required arguments

xpath-string
Syntax: <string>
Description: Specifies the XPath reference.

Optional arguments

field
Syntax: field=<field>
Description: The field to find and extract the referenced xpath value from.
Default: _raw
outfield
Syntax: outfield=<field>
Description: The field to write, or output, the xpath value to.
Default: xpath
default
Syntax: default=<string>
Description: If the attribute referenced in xpath doesn't exist, this specifies what to write to the outfield. If this isn't defined, there is no default value.

Usage

The xpath command is a distributable streaming command. See Command types.

The xpath command supports the syntax described in the Python Standard Library 19.7.2.2. Supported XPath syntax.

Examples

1. Extract values from a single element in _raw XML events

You want to extract values from a single element in _raw XML events and write those values to a specific field.

The _raw XML events look like this: 

   <foo>
      <bar nickname="spock">
      </bar>
   </foo>
   <foo>
      <bar nickname="scotty">
      </bar>
   </foo>
   <foo>
      <bar nickname="bones">
      </bar>
   </foo>

Extract the nickname values from _raw XML events. Output those values to the name field.

sourcetype="xml" | xpath outfield=name "//bar/@name"

2. Extract multiple values from _raw XML events

Extract multiple values from _raw XML events

The _raw XML events look like this: 

   <DataSet xmlns="">
        <identity_id>3017669</identity_id>
        <instrument_id>912383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>BARC</sname>
        <currency_code>USA</currency_code>
   </DataSet> 

   <DataSet xmlns="">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>

Extract the values from the identity_id element from the _raw XML events:

... | xpath outfield=identity_id "//DataSet/identity_id"

This search returns two results: identity_id=3017669 and identity_id=1037669.


To extract a combination of two elements, sname with a specific value and instrument_id, use this search:

... | xpath outfield=instrument_id "//DataSet[sname='BARC']/instrument_id"

Because you specify sname='BARC', this search returns one result: instrument_id=912383KM1.

3. Testing extractions from XML events

You can use the makeresults command to test xpath extractions.

You must add field=xml to the end of your search. For example: 

| makeresults
| eval xml="<DataSet xmlns=\"\">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>"
| xpath outfield=identity_id "//DataSet/identity_id" field=xml

See also

extract, kvform, multikv, rex, spath, xmlkv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the xpath command.

PREVIOUS
xmlunescape 		  NEXT
xsDisplayConcept

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.10, 6.4.11, 6.5.0, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1, 6.4.9, 6.5.1, 6.5.10, 6.5.1612 (Splunk Cloud only)

Comments

Sorry -- my previous comment didn't appear correctly. The first example was XML with a "type" attribute. The second example was XML with a "xsi:type" attribute.

MatMeredith
December 8, 2014

It appears that Splunk's xpath doesn't handle namespaces correctly? xpath can successfully extract the CallType from this:<br /><br />17<br /><br />But fails to extract anything if you try it on this:<br /><br />17

MatMeredith
December 8, 2014

No problem Sophy, thanks for pointing me to spath - will take a look at it

Izakw
July 25, 2012

Izakw, thanks! i corrected the examples. you may also want to check out the spath command for XML and JSON field extraction.

Sophy, Splunker
July 24, 2012

Tried on Splunk 4.3.3 , it didn't work as documented. We had to specify the outfield= before the XPath expression: <br /><br />This works: xpath outfield=identity_id "//DataSet/identity_id" <br />This doesn't work: xpath "//DataSet/identity_id" outfield=identity_id

Izakw
July 24, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters