topic Re: Counting xml tags in raw event in Splunk Search

Counting xml tags in raw event

ajaysamantbms — Mon, 16 Dec 2013 01:03:08 GMT

my event records are xml based as shown below coming in from one file, one sourcetype-
12........
..... // inside transaction tag i can contain anything
.....
.....
.....
.....
.....
.....
I am able to extract child tags inside each one - thats not an issue.
But how do i count how many records were of type Transaction and how many were of type Error.

Re: Counting xml tags in raw event

somesoni2 — Mon, 16 Dec 2013 06:11:01 GMT

how are you extracting fields? Using regular expression for each field or using spath?

Re: Counting xml tags in raw event

lguinn2 — Mon, 16 Dec 2013 12:37:27 GMT

Try this

sourcetype=gatewaylogs1 "<transaction>" OR "<error>" 
| eval type=case (match(_raw,"\<transaction\>", "Transaction",  match(_raw,"\<error\>", "Error")
| stats count by type

if the transaction contains an XML error field, it will be counted only as a transaction, not as an error

Re: Counting xml tags in raw event

ajaysamantbms — Mon, 28 Sep 2020 15:29:30 GMT

Tried this

sourcetype=gatewaylogs1 | eval type=case ( match(_raw,"<error>"), "Error", match(_raw,"<transaction>"), "Transaction" ) | stats count by type

No errors...but no output..all it says 16 events..shows number of events..16 events (before 12/16/13 11:25:23.000 AM ) but no output in Statistics tab

And 16 is total events including events that has tags which i wanted to filter..so this query is really not doing anything..

Re: Counting xml tags in raw event

somesoni2 — Mon, 16 Dec 2013 19:06:48 GMT

Try following

sourcetype=gatewaylogs1 |  rex "^\<(?<eventType>[^\>]+)" | stats count by eventType

This should give your count of event for transaction/error.

Re: Counting xml tags in raw event

lguinn2 — Mon, 16 Dec 2013 23:14:59 GMT

Well, your search isn't filtering out anything, so it will certainly have all the events from gatewaylogs1. I have updated the search. But not sure yet if it will work.