Hi All,
Please help me in extracting the response values of the below XML snapshot.
Finally , I want to display a table like below.
After mapping all these values perfectly, I would like to display a line graph based on measobjldn.
For example, my problem statement is to display the cpu_avg values of 4 different components(management 1, management 2, management 3, management 4) separately., where measinfoid= statistics.
I used the below query but it is a hard coded query. How can i map all the values perfectly without hard-coding the values.
index=AAA sourcetype=AAAB host=xxx | spath
| rename measInfo.measType as Request_type, measInfo.measValue.r as P_value, measInfo.measValue.r{@p} as P_type, measInfo.measValue{@measObjLdn} as MeasobjLdn, measInfo{@measInfoId} as Measinfo_id
| table time,host, Measinfo_id ,P_type,P_value
| eval temp2=mvzip(P_type,P_value,=)
| mvexpand temp2
| rex field=temp2 (?.+)=(?.+) |table _time host Measinfo_id P_type P_value |search Measinfo_id=statistics AND P_type=2 |streamstats count as sno by _time |eval ObjLdn=case(sno==1,"management 1",sno==2,"management 1",sno==3,"management 1",sno==4,"management 1") |table _time host InfoId P_type P_value sno Measobjldn |stats values(P_value) as P_Value by time,host,Measobjldn |xyseries _time Measobjldn P_value
Please correct this query and help me
| makeresults
| eval _raw="<?xml version=XXX>
<measCollecFile XXX>
<fileHeader XXX>
<measCollec XXX/>
</fileHeader>
<measData>
<measInfo measInfoId=\"statsitics\">
<job jobId=\"AAA\"/>
<measType p=\"1\">cpu</measType>
<measType p=\"2\">cpu_avg</measType>
<measType p=\"3\">cpu_peak</measType>
<measType p=\"4\">cpu_min</measType>
<measValue measObjLdn=\"Management 1\">
<r p=\"1\">5</r>
<r p=\"2\">5</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
<measValue measObjLdn=\"Management 2\">
<r p=\"1\">6</r>
<r p=\"2\">6</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
<measValue measObjLdn=\"Management 3\">
<r p=\"1\">4</r>
<r p=\"2\">4</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
<measValue measObjLdn=\"Management 4\">
<r p=\"1\">3</r>
<r p=\"2\">3</r>
<r p=\"3\">6</r>
<r p=\"4\">2</r>
</measValue>
</measInfo>
</measData>
<fileFooter>
<measCollec XXX/>
</fileFooter>
</measCollecFile>"
| multikv noheader=t
| streamstats count(eval(match(_raw,"meas[IV]"))) as session
| stats list(_raw) as _raw by session
| sort session
| where match(mvindex(_raw,0),"\<\w")
| rex ">(?<values>.*)<"
| rex "\"(?<name>.*)\""
| eval name=mvindex(name,0)
| transpose header_field=name
| where column="values"
| eval _counter=mvrange(0,mvcount(statsitics))
| fields - column
| stats list(*) as * by _counter
| foreach * [ eval <<FIELD>> = mvindex('<<FIELD>>' , _counter) ]
I can't make vertical.
Set kvmode = xml in props.conf and cycle Splunk.
That will fix new incoming data.
For data that has already been ingested, append this to your search (after updating props and cycling):
| extract reload=T
I see, I'll try.
sorry, I can't do it, because your sample is pics.
No issues. Thanks for your time ☺
@to4kawa Can you please help me
@vnravikumar ... Can you please help me.