XML with spath

index=demo1 sourcetype=xml-log-data | spath input=message | where strptime('message.updated_at', "%Y-%m-%d %H:%M:%S %z") > strptime("2013-08-07 00:00:00", "%Y-%m-%d %H:%M:%S")

purpose:

searches for events which contain a field called "message" that composite field is expanded via a call to spath. Then a value from the resulting expansion is used to find events that contain a date meeting certain criteria.

requirements:

comments: