xpath
Description
Extracts the xpath value from field and sets the outfield attribute.
Syntax
xpath [outfield=<field>] <xpath-string> [field=<field>] [default=<string>]
Required arguments
- xpath-string
- Syntax: <string>
- Description: Specifies the XPath reference.
Optional arguments
- field
- Syntax: field=<field>
- Description: The field to find and extract the referenced
xpathvalue from. - Default:
_raw
- outfield
- Syntax: outfield=<field>
- Description: The field to write, or output, the
xpathvalue to. - Default:
xpath
- default
- Syntax: default=<string>
- Description: If the attribute referenced in
xpathdoesn't exist, this specifies what to write to theoutfield. If this isn't defined, there is no default value.
Usage
The xpath command is a distributable streaming command. See Command types.
The xpath command supports the syntax described in the Python Standard Library 19.7.2.2. Supported XPath syntax.
Examples
1. Extract values from a single element in _raw XML events
You want to extract values from a single element in _raw XML events and write those values to a specific field.
The _raw XML events look like this:
<foo>
<bar nickname="spock">
</bar>
</foo>
<foo>
<bar nickname="scotty">
</bar>
</foo>
<foo>
<bar nickname="bones">
</bar>
</foo>
Extract the nickname values from _raw XML events. Output those values to the name field.
sourcetype="xml" | xpath outfield=name "//bar/@nickname"
2. Extract multiple values from _raw XML events
Extract multiple values from _raw XML events
The _raw XML events look like this:
<DataSet xmlns="">
<identity_id>3017669</identity_id>
<instrument_id>912383KM1</instrument_id>
<transaction_code>SEL</transaction_code>
<sname>BARC</sname>
<currency_code>USA</currency_code>
</DataSet>
<DataSet xmlns="">
<identity_id>1037669</identity_id>
<instrument_id>219383KM1</instrument_id>
<transaction_code>SEL</transaction_code>
<sname>TARC</sname>
<currency_code>USA</currency_code>
</DataSet>
Extract the values from the identity_id element from the _raw XML events:
... | xpath outfield=identity_id "//DataSet/identity_id"
This search returns two results: identity_id=3017669 and identity_id=1037669.
To extract a combination of two elements, sname with a specific value and instrument_id, use this search:
... | xpath outfield=instrument_id "//DataSet[sname='BARC']/instrument_id"
Because you specify sname='BARC', this search returns one result: instrument_id=912383KM1.
3. Testing extractions from XML events
You can use the makeresults command to test xpath extractions.
You must add field=xml to the end of your search. For example:
| makeresults
| eval xml="<DataSet xmlns=\"\">
<identity_id>1037669</identity_id>
<instrument_id>219383KM1</instrument_id>
<transaction_code>SEL</transaction_code>
<sname>TARC</sname>
<currency_code>USA</currency_code>
</DataSet>"
| xpath outfield=identity_id "//DataSet/identity_id" field=xml
See also
| xmlunescape | xyseries |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!