- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to filter out inline result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter out inline result
Hello,
After my query my result is:
<ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>736351</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>
In my result I would like to receive only the figure between
ns2:Value tags
How can I filter this out?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response, @kamlesh_vaghela , unfortunately it does not work as expected. I forgot to mention, that these 6 digits is variable, depending on the search. In this exact case my search consists of Phone number and Method name. expected result is OTP in ns2:Value field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Please check my UPDATED ANSWER .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela , it still does not work.
Result I am getting in Verbose mode is empty table:
https://ibb.co/z6YS74x
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Can you please share your search?? Please mask confidential value in search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original search is 9258487596 "S:METHOD_NAME=GwpVerifyPhone"
Response that I am getting:
2019-08-28 10:37:32,511 [jetty-84 - /mobiliser/channel] ERROR com.***.***.***.***.project.jms.****liser S:METHOD_NAME=GwpVerifyPhone : WebAppSessionId= : ChannelSessionId=web-***-***-e8b8-***-8796-****365e : ClientIp=217117019234 : Corridor=[RU-UNKNOWN] - Message Sent successfully: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:NotificationRequest xmlns:ns2="http://***" xmlns:ns1="http://***" xmlns:ns4="http://***" xmlns:ns3="http://***" xmlns:ns9="http://***" xmlns:ns5="http://***" xmlns:ns6="http://***" xmlns:ns10="http://***" xmlns:ns7="http://***" xmlns:ns8="http://***"><ns1:Header><ns1:Source>Wallet</ns1:Source><ns1:AppName ns1:Version="***">*DIGITAL</ns1:AppName><ns1:Timestamp>2019-08-28T10:37:29.898+03:00</ns1:Timestamp><ns1:CorrelationId>web-**-**-**-**-365e</ns1:CorrelationId><ns1:TransactionId>****</ns1:TransactionId></ns1:Header><ns3:Customer><ns6:Address><ns6:Country ns6:IS03="RUS"/></ns6:Address><ns7:Phone><ns7:PhoneType ns7:Desc="MOBILE">MOBILE</ns7:PhoneType><ns7:PhoneNum ns7:ISDCode="7">9258487596</ns7:PhoneNum></ns7:Phone><ns10:Preference><ns10:PrefLanguageCode>RU</ns10:PrefLanguageCode></ns10:Preference></ns3:Customer><ns2:MessageType>5010</ns2:MessageType><ns2:MessageChannelPreference>SMS</ns2:MessageChannelPreference><ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>342719</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>
And all i need to be visible instead of all this response is 6 digits between ns2:Value fields. In this case - 342719, but as I mentioned before this is variable and it changes, as OTP is generated by the system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Please check my UPDATED ANSWER VERSION:2 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela you are the superstar! Thank You!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
You can use spath here.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/spath
Try this:
YOUR_SEARCH | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:Value" as Value | table Value
Sample Search:
| makeresults | eval _raw="<ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>736351</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>" | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:Value" as Value | table Value
AND if you want to display values in a different row then just add below search.
| mvexpand Value
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/mvexpand
UPDATED ANSWER
Try this:
YOUR_SEARCH | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:*" as * | eval temp = mvzip(Name,Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1) | table Name Value
Sample Search:
| makeresults | eval _raw="<ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>736351</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>" | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:*" as * | eval temp = mvzip(Name,Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1) | table Name Value
UPDATED ANSWER VERSION:2
As per your provided sample events I have made a few changes in my previous search.
YOUR_SEARCH | rex field=_raw "(?<data><ns2:NotificationRequest(.+?)<\/ns2:NotificationRequest>)"
| eval _raw=data
| spath
| rename "ns2:NotificationRequest.ns2:MessageValues.ns2:MessageValue.ns2:*" as *
| eval temp = mvzip(Name,Value)
| mvexpand temp
| eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1)
| table Name Value
Sample Search:
| makeresults
| eval _raw="2019-08-28 10:37:32,511 [jetty-84 - /mobiliser/channel] ERROR com.***.***.***.***.project.jms.****liser S:METHOD_NAME=GwpVerifyPhone : WebAppSessionId= : ChannelSessionId=web-***-***-e8b8-***-8796-****365e : ClientIp=217117019234 : Corridor=[RU-UNKNOWN] - Message Sent successfully: <?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><ns2:NotificationRequest xmlns:ns2=\"http://***\" xmlns:ns1=\"http://***\" xmlns:ns4=\"http://***\" xmlns:ns3=\"http://***\" xmlns:ns9=\"http://***\" xmlns:ns5=\"http://***\" xmlns:ns6=\"http://***\" xmlns:ns10=\"http://***\" xmlns:ns7=\"http://***\" xmlns:ns8=\"http://***\"><ns1:Header><ns1:Source>Wallet</ns1:Source><ns1:AppName ns1:Version=\"***\">*DIGITAL</ns1:AppName><ns1:Timestamp>2019-08-28T10:37:29.898+03:00</ns1:Timestamp><ns1:CorrelationId>web-**-**-**-**-365e</ns1:CorrelationId><ns1:TransactionId>****</ns1:TransactionId></ns1:Header><ns3:Customer><ns6:Address><ns6:Country ns6:IS03=\"RUS\"/></ns6:Address><ns7:Phone><ns7:PhoneType ns7:Desc=\"MOBILE\">MOBILE</ns7:PhoneType><ns7:PhoneNum ns7:ISDCode=\"7\">9258487596</ns7:PhoneNum></ns7:Phone><ns10:Preference><ns10:PrefLanguageCode>RU</ns10:PrefLanguageCode></ns10:Preference></ns3:Customer><ns2:MessageType>5010</ns2:MessageType><ns2:MessageChannelPreference>SMS</ns2:MessageChannelPreference><ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>342719</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>"
| rex field=_raw "(?<data><ns2:NotificationRequest(.+?)<\/ns2:NotificationRequest>)"
| eval _raw=data
| spath
| rename "ns2:NotificationRequest.ns2:MessageValues.ns2:MessageValue.ns2:*" as *
| eval temp = mvzip(Name,Value)
| mvexpand temp
| eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1)
| table Name Value
Happy Splunking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Glad to help you. Please upvote any comments which help you to understand the solution and accept this answer to close this question.
Happy Splunking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
We can not see your mentioned fields or XML tags. Can you please use code block for that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your notice. Already updated.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
