Getting Data In

Search the data from a xml based log file based on the condition

rafimails
New Member

Hi,
I am trying to search and display the data from a xml based log file with the matching condition.
My XML is like below:

 <track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>

I used the below query to search for the track-item-number

host="" source="" |xpath outfield=track-item-number "//EnhancedEvent/master-list[track-type='07']/track-item-number"

The result should display track-item-number as 779771138490 when i use the condition where track-type=07 and track-exception-code=70

No results were displayed when i ran the above query. Could you please help me in this regard.

Regard
Rafi

Tags (1)
0 Karma

efavreau
Motivator

@rafimails Sometimes using xpath or spath isn't what's best for readability or easiest. Sometimes it is. I've found using regular expressions is sometimes quite similar in performance and easier for readability, which is what I'll show you below in a run anywhere example:

| makeresults 
| eval _raw="<track-exception-code>70</track-exception-code>,<track-item-number>779771138490</track-item-number>,<track-location-code>COKED</track-location-code>,<track-scan-time>0933</track-scan-time>,<track-type>07</track-type>"
| makemv _raw delim=","
| rex field=_raw "<track-exception-code>(?<track_exception_code>.+)<\/track-exception-code>"
| rex field=_raw "<track-item-number>(?<track_item_number>.+)</track-item-number>"
| rex field=_raw "<track-location-code>(?<track_location_code>.+)</track-location-code>"
| rex field=_raw "<track-scan-time>(?<track_scan_time>.+)<\/track-scan-time>"
| rex field=_raw "<track-type>(?<track_type>.+)<\/track-type>"

Now all your data is in fields that you can manipulate as you need. Cheers!

###

If this reply helps you, an upvote would be appreciated.
0 Karma

rafimails
New Member

this xml data in the logs are dynamic. I just want to search the data based on condition. Exmaple my sample log file name is sample.log host is abc and in the sample log lets say track-type is 7 and track-exceiption-code is 74 and track-item-number is 12345
I want to read this log file and display the track-item-number as 12345 when track-type=7 and track-exception-code is=74
the root elements for the xml file is Enhancementevent and masterlist

Sample xml file looks like below

12345
7
74

Search string:

host=abc source= sample.log

0 Karma

to4kawa
Ultra Champion
....
| spath

Hi, how about this

0 Karma

rafimails
New Member

can u give me the full query with spath?

0 Karma

to4kawa
Ultra Champion

sorry, now I can't touch splunk.
another way:

index=yourindex "<track-item-number>"
|rex "\<track-item-number\>(?<track_item_number>\d+)"

maybe works.

0 Karma

rafimails
New Member

not working

0 Karma

rafimails
New Member

index name can be any? if not where i can see the indexname

0 Karma

to4kawa
Ultra Champion

sorry, you can't try spath?

_time   track-exception-code    track-item-number   track-location-code track-scan-time track-type
2020/01/23 20:25:50 70  779771138490    COKED   0933    07

The fields should be extracted neatly

0 Karma

rafimails
New Member

can you give me the search string for the above result?

0 Karma

rafimails
New Member

This is how my xml looks like

<master-list>
<track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>
0 Karma

to4kawa
Ultra Champion

Please add your query below.

| spath
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...