XPath is a powerful language for selecting values from an XML document. Unlike xmlkv, which uses regular expressions, XPath uses an XML parser. This means that the event must actually contain a valid XML document.
For example, consider the following XML document:
<d> <a x="1">foo</a> <a x="2">foo2</a> <b>bar</b> </d>
If we wanted the value for a tag whose x attribute equals 2, the XPath code would look like this:
//d/a[@x='2']
To test this, let's use our |stats trick to generate a single event and execute the xpath statement:
|stats count | eval _raw="<d><a x='1'>foo</a><a x='2'>foo2</a><b>bar</b></d>" | xpath outfield=a "//d/a[@x='2']"
This generates an output as shown in the following screenshot:
The xpath command will also retrieve ...