Databases Reference
In-Depth Information
Using an external command is significantly slower than using the native
search language, particularly if you are dealing with large sets of data. If
it is possible to build the required fields using
rex
or
eval
, it will execute
faster and it will introduce a smaller load on your Splunk servers. For
instance, in the previous example, the fields could be extracted using:
| rex "<a.*?>(?<a>.*?)<" | rex "<b.*?>(?<b>.*?)<"
XPath
XPath is a powerful language for selecting values from an XML document. Unlike
xmlkv
, which uses regular expressions, XPath uses an XML parser. This means that
the event must actually contain a valid XML document.
For example, consider the following XML document:
<d>
<a x="1">foo</a>
<a x="2">foo2</a>
<b>bar</b>
</d>
If we wanted the value for the
a
tag whose
x
attribute equals
2
, the XPath code
would look like this:
//d/a[@x='2']
To test this, let's use our
|stats
trick to generate a single event and execute the
xpath
statement:
|stats count
| eval _raw="<d><a x='1'>foo</a><a x='2'>foo2</a><b>bar</b></d>"
| xpath outfield=a "//d/a[@x='2']"
This generates an output, as shown in the following screenshot:
xpath
will also retrieve multivalue fields. For instance, this
xpath
statement simply
says to find any
a
field:
|stats count
| eval _raw="<d><a x='1'>foo</a><a x='2'>foo2</a><b>bar</b></d>"
| xpath outfield=a "//a"
Search WWH ::
Custom Search