topic Re: Search the data from a xml based log file based on the condition in Getting Data In

Search the data from a xml based log file based on the condition

rafimails — Thu, 23 Jan 2020 07:28:46 GMT

Hi,
I am trying to search and display the data from a xml based log file with the matching condition.
My XML is like below:

 <track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>

I used the below query to search for the track-item-number

host="" source="" |xpath outfield=track-item-number "//EnhancedEvent/master-list[track-type='07']/track-item-number"

The result should display track-item-number as 779771138490 when i use the condition where track-type=07 and track-exception-code=70

No results were displayed when i ran the above query. Could you please help me in this regard.

Regard
Rafi

Re: Search the data from a xml based log file based on the condition

to4kawa — Thu, 23 Jan 2020 09:00:01 GMT

....
| spath

Hi, how about this

Re: Search the data from a xml based log file based on the condition

rafimails — Thu, 23 Jan 2020 09:37:03 GMT

can u give me the full query with spath?

Re: Search the data from a xml based log file based on the condition

to4kawa — Thu, 23 Jan 2020 09:44:39 GMT

sorry, now I can't touch splunk.
another way:

index=yourindex "<track-item-number>"
|rex "\<track-item-number\>(?<track_item_number>\d+)"

maybe works.

Re: Search the data from a xml based log file based on the condition

rafimails — Thu, 23 Jan 2020 10:06:50 GMT

not working

Re: Search the data from a xml based log file based on the condition

rafimails — Thu, 23 Jan 2020 10:07:56 GMT

index name can be any? if not where i can see the indexname

Re: Search the data from a xml based log file based on the condition

to4kawa — Thu, 23 Jan 2020 11:28:23 GMT

sorry, you can't try spath?

_time   track-exception-code    track-item-number   track-location-code track-scan-time track-type
2020/01/23 20:25:50 70  779771138490    COKED   0933    07

The fields should be extracted neatly

Re: Search the data from a xml based log file based on the condition

rafimails — Thu, 23 Jan 2020 11:34:03 GMT

can you give me the search string for the above result?

Re: Search the data from a xml based log file based on the condition

rafimails — Thu, 23 Jan 2020 11:35:39 GMT

This is how my xml looks like

<master-list>
<track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>

Re: Search the data from a xml based log file based on the condition

to4kawa — Thu, 23 Jan 2020 12:00:20 GMT

Please add your query below.

| spath

Re: Search the data from a xml based log file based on the condition

efavreau — Thu, 23 Jan 2020 13:46:58 GMT

@rafimails Sometimes using xpath or spath isn't what's best for readability or easiest. Sometimes it is. I've found using regular expressions is sometimes quite similar in performance and easier for readability, which is what I'll show you below in a run anywhere example:

| makeresults 
| eval _raw="<track-exception-code>70</track-exception-code>,<track-item-number>779771138490</track-item-number>,<track-location-code>COKED</track-location-code>,<track-scan-time>0933</track-scan-time>,<track-type>07</track-type>"
| makemv _raw delim=","
| rex field=_raw "<track-exception-code>(?<track_exception_code>.+)<\/track-exception-code>"
| rex field=_raw "<track-item-number>(?<track_item_number>.+)</track-item-number>"
| rex field=_raw "<track-location-code>(?<track_location_code>.+)</track-location-code>"
| rex field=_raw "<track-scan-time>(?<track_scan_time>.+)<\/track-scan-time>"
| rex field=_raw "<track-type>(?<track_type>.+)<\/track-type>"

Now all your data is in fields that you can manipulate as you need. Cheers!

Re: Search the data from a xml based log file based on the condition

rafimails — Sun, 26 Jan 2020 07:04:47 GMT

this xml data in the logs are dynamic. I just want to search the data based on condition. Exmaple my sample log file name is sample.log host is abc and in the sample log lets say track-type is 7 and track-exceiption-code is 74 and track-item-number is 12345
I want to read this log file and display the track-item-number as 12345 when track-type=7 and track-exception-code is=74
the root elements for the xml file is Enhancementevent and masterlist

Sample xml file looks like below

12345
7
74

Search string:

host=abc source= sample.log