topic Re: How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function? in Splunk Search

How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?

diddyb — Mon, 12 Feb 2018 16:12:59 GMT

I'm trying to shorten up a timechart search by removing the xmlkv function. I've tried numerous times using rex and regex but have been unsuccessful.

Current working search string takes to long to execute is this:

index=abc sourcetype=abc_123 | xmlkv | search somequery
| timechart count by somequery usenull=F useother=F
| rename Yes AS "somequery good" No AS "somequery bad"

In place of the xmlkv | search somequery I've tried regex_raw="NoALIQuery." and other variations. The search pulls results, but for the purpose of timechart it shows them as only Null. I need them to show the somequery field true values of Yes or No

Re: How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?

FrankVl — Mon, 12 Feb 2018 16:31:20 GMT

Can you perhaps show what your data looks like and what exactly you are trying to accomplish with that | xmlkv | search somequery part? Maybe give an example of the output you want from this.

Re: How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?

diddyb — Mon, 12 Feb 2018 16:52:13 GMT

each search result has dozens of lines of xml formatted data. I'm only concerned with the data in one field (it will either be Yes or No). XMLKV would parse all the data and allow a search, but it takes a long time based on the amount of data. I want to look at the single field only for the purpose of this seaech / timechart

Re: How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?

niketn — Mon, 12 Feb 2018 17:45:08 GMT

Can you add a sample of the node that you need to extract?

You can either use spath to traverse and extract only the node you are interested in or else use rex to extract based on start and end pattern.

Please add some sample event or mock data for the community to assist.

Re: How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?

sashraf — Mon, 12 Feb 2018 17:51:42 GMT

Without seeing an example of the data you have and specifically the field you want to extract - you may find help with the below.

If you want to extract the value of the "gender" element from the following example XML:

<person>
  <gender>female</gender>
  <firstname>Anna</firstname>
  <lastname>Smith</lastname>
</person>

You would replace the xmlkv command with the following rex command:

rex field=_raw "gender=\"(?<gender>.*?)\""

If instead you want to extract the value of the gender attributefrom the following example XML:

<person gender="female">
  <firstname>Anna</firstname>
  <lastname>Smith</lastname>
</person>

Then in this case you would replace the xmlkv command with the following rex command:

rex field=_raw "\<gender\>(?<gender>.*?)\<\/gender\>"

Re: How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?

diddyb — Mon, 12 Feb 2018 21:03:19 GMT

Its like your first example -

now in using this example. if the expected results for gender is male or female, how to I use that data to create a timechart? If I use:

timechart count by gender

The results all show as NULL. I would like them to show male or female