topic Re: Help Needed with Regular Expression in Splunk Search

Help Needed with Regular Expression

rishiaggarwal — Tue, 29 Sep 2020 08:34:28 GMT

Hi All,

i am newbie to splunk platform and seeking some help in writing a regular expression to pull a "" value from the XML type log. Sample XML is as mentioned below.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope">
    <S:Body>
        <Response xmlns="http://soa.comptel.com/2011/02/instantlink">
            <ResponseHeader>
                <RequestId>83506576</RequestId>
                <Status>9</Status>
                <OrderNo />
                <StatusMessage>Request Ready</StatusMessage>
                <StatusMessageId>RC-0000</StatusMessageId>
                <Priority>5</Priority>
                <ReqUser>bss</ReqUser>
                <ReceivedDate>2016-01-29T11:27:15.951+11:00</ReceivedDate>
                <FinishedDate>2016-01-29T11:27:17.033+11:00</FinishedDate>
            </ResponseHeader>
            <ResponseParameters>
                <Parameter name="PREFIX" value="REMOVE_B4_TO_OSSBSS_" />
                <Parameter name="NOTIFY_INTERACTION_STATUS" value="Success" />
            </ResponseParameters>
            <RequestParameters>
                <Parameter name="NOTIFICATION_MSG_LEVEL" value="0" />
                <Parameter name="RESP_QUEUE_ID" value="SYNCSOA" />
                <Parameter name="NOTIFY_NBN_ORDER_ID" value="ORD000048321077" />
                <Parameter name="REQ_OBJ" value="1" />
                <Parameter name="SERVICE_TYPE" value="createBillingEventResponse" />
                <Parameter name="NOTIFY_CORRELATION_ID" value="4b24bd92-aee3-474a-8c99-9067fbb06ef1" />
                <Parameter name="NOTIFY_BILLING_SUCCESSFUL" value="YES" />
                <Parameter name="CLIENT_ID" value="bss" />
                <Parameter name="ORIGIN" value="1" />
                <Parameter name="REQ_TYPE" value="1" />
                <Parameter name="NOTIFY_ACCESS_SEEKER_ID" value="ASI000000000035" />
            </RequestParameters>
        </Response>
    </S:Body>
</S:Envelope>

From above log i wish to access NOTIFY_CORRELATION_ID for which value = 4b24bd92-aee3-474a-8c99-9067fbb06ef1

Can anyone please suggest me a search sub string ?

Example : | xpath field=message outfield=CORRELATION_ID "//RequestParameters/[ID='NOTIFY_CORRELATION_ID']/../value"

Best Regards
Rishi

Re: Help Needed with Regular Expression

Murali2888 — Tue, 29 Sep 2020 08:34:31 GMT

if the NOTIFY_CORRELATION_ID is occurring once per message then you can use

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^"]"

if there is multiple occurrence per message you can add max_match=0 with the rex command which will extract a multi-value field per event.

Re: Help Needed with Regular Expression

rishiaggarwal — Fri, 29 Jan 2016 02:39:18 GMT

Thanks for the response. While running this query i am getting an error "Mismatched ']'."

Re: Help Needed with Regular Expression

Murali2888 — Fri, 29 Jan 2016 02:52:16 GMT

Apologies. I missed a bracket there | rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?[^"]*)"

Re: Help Needed with Regular Expression

gcato — Fri, 29 Jan 2016 02:53:37 GMT

Try backslashing escaping the second to last quote (") and closing parenthesis ...

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^\"])"

Re: Help Needed with Regular Expression

gcato — Fri, 29 Jan 2016 02:58:08 GMT

Oh... and a + after the ]

 | rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^\"]+)"

Re: Help Needed with Regular Expression

jbjerke_splunk — Fri, 29 Jan 2016 14:02:55 GMT

Hi rishiaggarwal

Try this one:

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<NOTIFY_CORRELATION_ID>[^\"]+)"

If correct, please mark as answered so we can close this post.