I am trying to exclude results from a set of data from an XML data source.
I can search for events containing the particular string but when I change the search to "does not equal" it will return no results at all.
In this example, I want to exclude "Card 3 Total Modems" but Splunk will show no results if I change it or by clicking on the field and selecting "exclude results."
source="C:\\Users\\evanr\\splunk\final.xml" host="OSSTEST01" index="prtg_api_cmts" sourcetype="prtg_api" | search "group{@name}"="Twin Valley CMTS" | table _time, group{@name}, group.sensor{@name}, group.sensor.value
Hi,
Sorry for the delay, can you give this a go a let me know if this is what you are looking for?
Assumptions:
- Your event has a _raw field with all the XML data in there
- You want to filter group name = "Twin Valley CMTS" but if not simply apply the same logic as below
- You don't want to see "Card 3 Total Modems" but if not simply modify the filter below
- If you want to summarise the final output into values simply use stats values(fieldname) as fieldname to do that
Query:
your base search here
| rex field=_raw "(?msi)(?<group>\<group name=\"Twin Valley CMTS\".+?\</group\>")
| spath input=group
| eval temp = mvzip('group.sensor{@name}', 'group.sensor.value', " <--> ")
| fields - "group.sensor{@name}", "group.sensor.value"
| mvexpand temp
| search temp != "Card 3 Total Modems*"
| rex field=temp "(?<name>.+) \<--\> (?<value>.+)"
| rename name as "group.sensor{@name}", value as "group.sensor.value"
| fields - temp, group, _raw
When I tried this with the sample you attached last week this is what I got (see picture below):
