In this blog we are going to explore xpath command in splunk. Xpath is used to extract information from xml data types. This command extract fields from complex xml data set. Xpath command also support Python Standard Library Supported XPath syntax.

Splunk  has capabilities to extract field names and xml key value  by making KV_MODE=XML. But some for complex data fileds are not getting extracted  for that extraction scenerio we are using xpath command 


    <country name="Liechtenstein">
        <neighbor name="Austria" direction="E"/>
        <neighbor name="Switzerland" direction="W"/>
    <country name="Singapore">
        <neighbor name="Malaysia" direction="N"/>
    <country name="Panama">
        <neighbor name="Costa Rica" direction="W"/>
        <neighbor name="Colombia" direction="E"/>

In this xml data if we want to extract values of country we can simply use xpath command following python standard library tags
Outputfield is used for field name.

index =xs source="test.xml" | xpath outfield=country  “//country/@name”

In above given xml data if we want extract another field such as gdppc .we can use similar syntax method

index =xs source="test.xml" | xpath outfield=gdppc  “//country/gdppc”

If we want to go for specific part of data we can use some attributes to extract particular part of data for example if I want only one country name in above given data then I can simply use xpath command with some python standard library syntax tag

index =xs source="test.xml" | xpath outfield=country  “//country[@name= ‘Liechtenstein’]/@name”

This are some uses of xpath command for extracting fields in xml data formats  

If you are still facing an issue regarding xpath command in splunk, Feel free to Ask Doubts in the Comment Section Below and Don’t Forget to Follow us on 👍 Social Networks. Happy Splunking 😉