Archive

How to write a basic SPLUNK query which returns value A, B, C & D.

New Member

Can you please help me on how to write a basic SPLUNK query which returns value A, B, C & D.

here are the sample XML tags screenshot attached

Tags (2)
0 Karma

Super Champion

Try something like this:

|rex "one\>(?<one>\w+)|two\>(?<two>\w+)"|table one two

The regex should extract what is in the one and two nodes and put them in fields called one and two.

0 Karma

New Member

Thanks!, I tried but still, it returns only A, B.. but not C, D & E, F.

0 Karma

Explorer

wouldn't you want to use xpath or spath to deal with XML?

New Member

I tried, but not sure on it. So I had written a query using rex as below, it returns only error code1 detail1 all the times.

(one = code , two = detail)

InterfaceResponse|
rex "\(?.{2,60})<\/msg:succes" | where success = "false" |
rex "\(?.{2,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "(?.{2,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
table MessageUUID success errorcode1 errorcode2 errorcode3 detail1 detail2 detail3

0 Karma

Super Champion

when you tried xpath, what did you try? |xpath outfield=one "//msg:XYS/msg:ONE"

0 Karma

New Member

I tried as well, but not sure on it. here is the sample request, which I am trying to put it on a table (which results with error descp 1, 2 & 3). please advise.

0 Karma

Super Champion

You're trying to extract these into one field? Or what are you expecting as an output?

0 Karma

New Member

trying to extract this output as a table

0 Karma