Need to extract the store id, mop and amount from ...

yograjpatel · ‎08-04-2017

900
200
138
203.009999999999990905052982270717620849609375
MASTERCARD

niketn · ‎08-04-2017

@yograjpatel, following is a run anywhere search based on your mock data (anonymized), which extracts the XML Data using regular expressions using the rex command and then parses/extracts the field using spath command. The round() function is used to convert Amount to two digits precision.

| makeresults
| eval _raw="13:22:17,351 ABCDefghijHGFDSAab1HabcAB INFO [com.abc.def.webservices.impl.KioskIntegrationServicePortTypeImpl] (http-/120.10.10.0:8000-4) RWS to POS Request:

 <tillID>120</tillID>
 <registerID>321</registerID>
 <storeID>111</storeID>
 <amount>203.009999999999990905052982270717620849609375</amount>
 <mop>MASTERCARD</mop>"
| rex field=_raw "(?ms)RWS to POS Request:\s+(?<xml_data>.*)"
| spath input=xml_data path=tillID output=tillID
| spath input=xml_data path=registerID output=registerID
| spath input=xml_data path=storeID output=storeID
| spath input=xml_data path=amount output=amount
| spath input=xml_data path=mop output=mop
| eval amount=round(amount,2)
| table tillID registerID storeID amount mop

PS: You will not need the first two pipes, which are used just to mimic the sample data provided. You can add your own base search instead.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

yograjpatel · ‎08-04-2017

Hi Niket,
The answer provided will extract only for that particular event. what if there are multiple?

niketn · ‎08-04-2017

As far as your events have "RWS to POS Request:" followed by XML Data, the following search should work.

<YourBaseSearchWithIndexSourcetypeAndOtherFilters> "RWS to POS Request:"
 | rex field=_raw "(?ms)RWS to POS Request:\s+(?<xml_data>.*)"
 | spath input=xml_data path=tillID output=tillID
 | spath input=xml_data path=registerID output=registerID
 | spath input=xml_data path=storeID output=storeID
 | spath input=xml_data path=amount output=amount
 | spath input=xml_data path=mop output=mop
 | eval amount=round(amount,2)
 | table tillID registerID storeID amount mop

Based on your actual sample data your regular expression might change. You can test your Regular Expression on regex101.com. If your data varies you should add more sample data. Make sure you mock/anonymize sensitive information.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

yograjpatel · ‎08-07-2017

Hi Niket,

I see the query is working but the table ouput is all empty. I do see 35 events in last 10 mins but no data it the table statistics.

niketn · ‎08-08-2017

You can test Regular expression RWS to POS Request:\s+(?<xml_data>.*) on regex101.com with some sample data from yuor logs like the one you have posted. You might have to change the regular expression based on your data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

yograjpatel · ‎08-04-2017

event snippet is like this:

8/4/17

1:22:17.351 PM

13:22:17,351 OZqYohdqfDMZQPTxk5JruzNT INFO com.cox.rws.webservices.impl.KioskIntegrationServicePortTypeImpl RWS to POS Request:

<tillID>900</tillID>
<registerID>200</registerID>
<storeID>138</storeID>
<amount>203.009999999999990905052982270717620849609375</amount>
<mop>MASTERCARD</mop>

Need to extract the store id, mop and amount from the event and restrict the amount to 2 decimal point

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM