topic Re: How to write a basic SPLUNK query which returns value A, B, C & D. in Splunk Search

How to write a basic SPLUNK query which returns value A, B, C & D.

t964396 — Tue, 04 Jul 2017 23:51:35 GMT

Can you please help me on how to write a basic SPLUNK query which returns value A, B, C & D.

here are the sample XML tags screenshot attached

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

cmerriman — Wed, 05 Jul 2017 00:15:42 GMT

You're trying to extract these into one field? Or what are you expecting as an output?

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

t964396 — Wed, 05 Jul 2017 00:17:04 GMT

trying to extract this output as a table

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

cmerriman — Wed, 05 Jul 2017 00:28:48 GMT

Try something like this:

|rex "one\>(?<one>\w+)|two\>(?<two>\w+)"|table one two

The regex should extract what is in the one and two nodes and put them in fields called one and two.

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

t964396 — Wed, 05 Jul 2017 00:57:48 GMT

Thanks!, I tried but still, it returns only A, B.. but not C, D & E, F.

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

cmisztur — Wed, 05 Jul 2017 01:43:11 GMT

wouldn't you want to use xpath or spath to deal with XML?

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

t964396 — Wed, 05 Jul 2017 02:09:25 GMT

I tried as well, but not sure on it. here is the sample request, which I am trying to put it on a table (which results with error descp 1, 2 & 3). please advise.

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

t964396 — Wed, 05 Jul 2017 02:24:29 GMT

I tried, but not sure on it. So I had written a query using rex as below, it returns only error code1 detail1 all the times.

(one = code , two = detail)

InterfaceResponse|
rex "\(?.{2,60})<\/msg:succes" | where success = "false" |
rex "\(?.{2,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "(?.{2,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
table MessageUUID success errorcode1 errorcode2 errorcode3 detail1 detail2 detail3

Re: How to write a basic SPLUNK query which returns value A, B, C & D.

cmerriman — Wed, 05 Jul 2017 11:52:56 GMT

when you tried xpath, what did you try? |xpath outfield=one "//msg:XYS/msg:ONE"