Getting Data In

Why is inline conversion of XML string using XMLKV not working?

dablackgoku1234
New Member

I have the following search which extracts the inner XML pieces. I'm trying to re-parse the resulting strings into XML using xmlkv for additional extraction and it is not working properly...

sourcetype="test_suite_result_xml" | xpath outfield=testCase "//testSuite/testRunnerResults/testCase" | mvexpand testCase

returns a list of these:

<testCase> <startTime>15:45:45</startTime> <status>FINISHED</status> <testCaseId>027c9aec-3802-480c-8f5e-637ebcd192d9</testCaseId> <testCaseName>UC-CR-0010</testCaseName> <timeTaken>608</timeTaken> <testStepResults> <result> <message>Step 1 [MINT-BE-GetApplicationAndBaseUrl] OK: took 129 ms</message> <name>MINT-BE-GetApplicationAndBaseUrl</name> <order>2</order> <started>15:45:45.256</started> <status>OK</status> <timeTaken>129</timeTaken> </result> <result> <message>Step 2 [MINT-BE-StartSession] OK: took 237 ms</message> <name>MINT-BE-StartSession</name> <order>3</order> <started>15:45:45.445</started> <status>OK</status> <timeTaken>237</timeTaken> </result> <result> <message>Step 3 [Transfer_JSessionID] OK: took 4 ms -> Script-result: org.mozilla.javascript.Undefined@689cc181</message> <name>Transfer_JSessionID</name> <order>4</order> <started>15:45:45.726</started> <status>OK</status> <timeTaken>4</timeTaken> </result> <result> <message>Step 4 [MINT-BE-GetUser] OK: took 115 ms</message> <name>MINT-BE-GetUser</name> <order>5</order> <started>15:45:45.751</started> <status>OK</status> <timeTaken>115</timeTaken> </result> <result> <message>Step 5 [MINT-BE-EndSession] OK: took 123 ms</message> <name>MINT-BE-EndSession</name> <order>6</order> <started>15:45:45.905</started> <status>OK</status> <timeTaken>123</timeTaken> </result> </testStepResults> <failedTestSteps/> </testCase>

However, adding xmlkv after and trying to extract the testCaseNames returns nothing.

sourcetype="test_suite_result_xml" | xpath outfield=testCase "//testSuite/testRunnerResults/testCase" | mvexpand testCase | eval _raw=testCase | xmlkv | table testCase.testCaseName
0 Karma

sundareshr
Legend

This should give the testCaseName value | xpath .. | spath input=testcase output=testCaseName path=testCase.testCaseName | table testCaseNameor, you could run the spath on the .xml file and skip the xpath command.

0 Karma

dablackgoku1234
New Member

Thanks. Apparently, testCaseName did not require any additional spath/xpath, however, it does not work for all fields. I'm trying to get out the result statuses and I'm getting intermittent results. When the results are all OK, it returns fine. But when there are failed results, it does not return anything. The structures of the XML message are the same.

sourcetype="test_suite_result_xml" | xpath outfield=testCase "//testSuite/testRunnerResults/testCase" | mvexpand testCase | eval _raw=testCase | xmlkv | xpath outfield=resultStatus "//testCase/testStepResults/result/status" | table testCaseName, resultStatus
0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...