xpath

Description

Extracts the xpath value from field and sets the outfield attribute.

Note: Due to limitations with XML extraction, the xpath command returns empty results when input XML strings have prologue headers, such as xml version or DOCTYPE. As a result, use the spath command instead of the xpath command when extracting XML content.

Syntax

xpath [outfield=<field>] <xpath-string> [field=<field>] [default=<string>]

Required arguments

xpath-string

Syntax: <string>

Description: Specifies the XPath reference.

Optional arguments

field

Syntax: field=<field>

Description: The field to find and extract the referenced xpath value from.

Default: _raw

outfield

Syntax: outfield=<field>

Description: The field to write, or output, the xpath value to.

Default: xpath

default

Syntax: default=<string>

Description: If the attribute referenced in xpath doesn't exist, this specifies what to write to the outfield. If this isn't defined, there is no default value.

Usage

The xpath command is a distributable streaming command. See Command types.

The xpath command supports the syntax described in the Python Standard Library 19.7.2.2. Supported XPath syntax.

Examples

1. Extract values from a single element in `_raw` XML events

You want to extract values from a single element in _raw XML events and write those values to a specific field.

The _raw XML events look like this:

   <foo>
      <bar nickname="spock">
      </bar>
   </foo>
   <foo>
      <bar nickname="scotty">
      </bar>
   </foo>
   <foo>
      <bar nickname="bones">
      </bar>
   </foo>

Extract the nickname values from _raw XML events. Output those values to the name field.

sourcetype="xml" | xpath outfield=name "//bar/@nickname"

2. Extract multiple values from `_raw` XML events

Extract multiple values from _raw XML events

The _raw XML events look like this:

   <DataSet xmlns="">
        <identity_id>3017669</identity_id>
        <instrument_id>912383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>BARC</sname>
        <currency_code>USA</currency_code>
   </DataSet> 

   <DataSet xmlns="">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>

Extract the values from the identity_id element from the _raw XML events:

... | xpath outfield=identity_id "//DataSet/identity_id"

This search returns two results: identity_id=3017669 and identity_id=1037669.

To extract a combination of two elements, sname with a specific value and instrument_id, use this search:

... | xpath outfield=instrument_id "//DataSet[sname='BARC']/instrument_id"

Because you specify sname='BARC', this search returns one result: instrument_id=912383KM1.

3. Testing extractions from `XML` events

You can use the makeresults command to test xpath extractions.

You must add field=xml to the end of your search. For example:

| makeresults
| eval xml="<DataSet xmlns=\"\">
        <identity_id>1037669</identity_id>
        <instrument_id>219383KM1</instrument_id>
        <transaction_code>SEL</transaction_code>
        <sname>TARC</sname>
        <currency_code>USA</currency_code>
   </DataSet>"
| xpath outfield=identity_id "//DataSet/identity_id" field=xml