Archive

Search the data from a xml based log file based on the condition

rafimails
New Member

Hi,
I am trying to search and display the data from a xml based log file with the matching condition.
My XML is like below:

 <track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>

I used the below query to search for the track-item-number

host="" source="" |xpath outfield=track-item-number "//EnhancedEvent/master-list[track-type='07']/track-item-number"

The result should display track-item-number as 779771138490 when i use the condition where track-type=07 and track-exception-code=70

No results were displayed when i ran the above query. Could you please help me in this regard.

Regard
Rafi

Tags (1)
0 Karma

efavreau
Builder

@rafimails Sometimes using xpath or spath isn't what's best for readability or easiest. Sometimes it is. I've found using regular expressions is sometimes quite similar in performance and easier for readability, which is what I'll show you below in a run anywhere example:

| makeresults 
| eval _raw="<track-exception-code>70</track-exception-code>,<track-item-number>779771138490</track-item-number>,<track-location-code>COKED</track-location-code>,<track-scan-time>0933</track-scan-time>,<track-type>07</track-type>"
| makemv _raw delim=","
| rex field=_raw "<track-exception-code>(?<track_exception_code>.+)<\/track-exception-code>"
| rex field=_raw "<track-item-number>(?<track_item_number>.+)</track-item-number>"
| rex field=_raw "<track-location-code>(?<track_location_code>.+)</track-location-code>"
| rex field=_raw "<track-scan-time>(?<track_scan_time>.+)<\/track-scan-time>"
| rex field=_raw "<track-type>(?<track_type>.+)<\/track-type>"

Now all your data is in fields that you can manipulate as you need. Cheers!

###

If this reply helps you, an upvote would be appreciated.
0 Karma

rafimails
New Member

this xml data in the logs are dynamic. I just want to search the data based on condition. Exmaple my sample log file name is sample.log host is abc and in the sample log lets say track-type is 7 and track-exceiption-code is 74 and track-item-number is 12345
I want to read this log file and display the track-item-number as 12345 when track-type=7 and track-exception-code is=74
the root elements for the xml file is Enhancementevent and masterlist

Sample xml file looks like below

12345
7
74

Search string:

host=abc source= sample.log

0 Karma

to4kawa
SplunkTrust
SplunkTrust
....
| spath

Hi, how about this

0 Karma

rafimails
New Member

can u give me the full query with spath?

0 Karma

to4kawa
SplunkTrust
SplunkTrust

sorry, now I can't touch splunk.
another way:

index=yourindex "<track-item-number>"
|rex "\<track-item-number\>(?<track_item_number>\d+)"

maybe works.

0 Karma

rafimails
New Member

not working

0 Karma

rafimails
New Member

index name can be any? if not where i can see the indexname

0 Karma

to4kawa
SplunkTrust
SplunkTrust

sorry, you can't try spath?

_time   track-exception-code    track-item-number   track-location-code track-scan-time track-type
2020/01/23 20:25:50 70  779771138490    COKED   0933    07

The fields should be extracted neatly

0 Karma

rafimails
New Member

can you give me the search string for the above result?

0 Karma

rafimails
New Member

This is how my xml looks like

<master-list>
<track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>
0 Karma

to4kawa
SplunkTrust
SplunkTrust

Please add your query below.

| spath
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!