Getting Data In

Can you help me extract field values and display those values as responseTypeCode requestSourceCode responseMessage correlationId?

Explorer

XYZ
JACK
479
Cannot update Employee record
10300458578837

Above data is in XML format and I need to get below result

1) Extract field values and display those values as responseTypeCode requestSourceCode responseMessage correlationId.
2) Get the count based on requestSourceCode,responseTypeCode,responseCode

0 Karma

SplunkTrust
SplunkTrust

Hi @harishnpandey

Try using |spath using the following documentation as a guide: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#Basic_examples

Then use |stats count by requestSourceCode responseTypeCode responseCode

Here is an example:

|makeresults | eval _raw =  "<responseTypeCode>XYZ</responseTypeCode>
   <requestSourceCode>JACK</requestSourceCode>
   <responseCode>479</responseCode>
   <responseMessage>Cannot update Employee record</responseMessage>
   <correlationId>10300458578837</correlationId>"
   | spath | stats count by requestSourceCode responseCode responseMessage

Hope this is helpful

0 Karma

Explorer

Below is my xml data and similarly I have thousands of records logged into file

[1/30/19 13:20:28:237 EST] 000001d2 AppServi E   <?xml version="1.0" encoding="UTF-8"?>
<UpdateEmpInformationResponse xsi:type="in:UpdatePolicyInformationResponse" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:in="http://abc.ig.com/com/internal/interfaceobjects">
  <responseTypeCode>UBI</responseTypeCode>
  <requestSourceCode>JIU</requestSourceCode>
  <responseCode>479</responseCode>
  <responseMessage>Cannot update Employee record</responseMessage>
  <correlationId>10300458578837</correlationId>
  <error>
    <errorMessageDescription>ChoreographUpdateEmpInformation - Cannot update Employee record</errorMessageDescription>
    <errorCode>479</errorCode>
  </error>
</UpdateEmpInformationResponse>
0 Karma

Explorer

thanks for your quick reply. But i dont want to limit my search to above .I need to search through entire log file and get the result .

0 Karma

Esteemed Legend

He is giving you a run-anywhere example to PROVE to you that line #6 will do what you need. Take line #6 and append it to your existing search. Profit. Come back here and click Accept and UpVote.

SplunkTrust
SplunkTrust

Yep my example should work with your whole dataset. Just do it like this: <your search> | spath | stats count by requestSourceCode responseCode responseMessage

0 Karma

SplunkTrust
SplunkTrust

If your data is more complicated than you have shown here then this query will require a few changes

0 Karma

Explorer
Data is in XML format 

<responseTypeCode>XYZ</responseTypeCode>
  <requestSourceCode>JACK</requestSourceCode>
  <responseCode>479</responseCode>
  <responseMessage>Cannot update Employee record</responseMessage>
  <correlationId>10300458578837</correlationId>
0 Karma

Explorer

I tried suggested spath option no luck 😞

0 Karma

SplunkTrust
SplunkTrust

If you post the entire contents of a single event (from splunk not raw data) we will be better able to help you

0 Karma