Solved: Re: How to read only the first value to make a rep...

nmarun · ‎11-14-2022

Hi,

I have an xml response in the below format. I'm trying to read the BusinessId value of this. Since there are multiple, I want to read only the first one and use it as part of my report.

This is how my query looks:

index=customer app_name="searchservice" | rex field=msg "BusinessId>(?P<BusinessId>[0-9]*)<\/" | table Client, MethodName, BusinessId,CorrelationId

Fields Client, MethodName and CorrelationId have already been parsed out.

The issue I'm seeing is that if the response xml has multiple entries of BusinessId, it doesn't show up in the result as shown in the first two correlation ids. For the next two, the xml had only one instance BusinessId, so it showed up in the response.

How do I fix the regex to parse only the first instance and ignore the rest?

Thanks,

Arun

ITWhisperer · ‎11-15-2022

While regex101.com is a good tool for learning regex, it is not Splunk. Try using makeresults to create sample data and test your regex there.

| makeresults 
| fields - _time
| eval msg="<Root><Node><a:BusinessId>88</a:BusinessId></Node><Node><a:BusinessId>88</a:BusinessId></Node><Node><a:BusinessId>88</a:BusinessId></Node><Node><a:BusinessId>88</a:BusinessId></Node></Root>"
| rex field=msg "BusinessId>(?P<BusinessId>[0-9]*)<\/"
| rex max_match=1 field=msg "BusinessId>(?P<BusinessId1>[0-9]*)<\/"
| rex field=msg "BusinessId>(?P<BusinessId2>[0-9]*?)<\/"
| rex field=msg "BusinessId>(?P<BusinessId3>[^<]*)<\/"

View solution in original post

nmarun · ‎11-16-2022

Thanks for your assistance on this.

nmarun · ‎11-15-2022

https://regex101.com/r/Bri0g5/1 - please use this.

ITWhisperer · ‎11-15-2022

While regex101.com is a good tool for learning regex, it is not Splunk. Try using makeresults to create sample data and test your regex there.

| makeresults 
| fields - _time
| eval msg="<Root><Node><a:BusinessId>88</a:BusinessId></Node><Node><a:BusinessId>88</a:BusinessId></Node><Node><a:BusinessId>88</a:BusinessId></Node><Node><a:BusinessId>88</a:BusinessId></Node></Root>"
| rex field=msg "BusinessId>(?P<BusinessId>[0-9]*)<\/"
| rex max_match=1 field=msg "BusinessId>(?P<BusinessId1>[0-9]*)<\/"
| rex field=msg "BusinessId>(?P<BusinessId2>[0-9]*?)<\/"
| rex field=msg "BusinessId>(?P<BusinessId3>[^<]*)<\/"

nmarun · ‎11-15-2022

Negative sir.

https://regex101.com/r/ttey6J/1 If there's a regex way to solve it, we can use this link.

nmarun · ‎11-15-2022

Thanks for the response, but sorry, neither option worked. I tried putting both and that didn't help either.

ITWhisperer · ‎11-15-2022

| rex field=msg "BusinessId>(?P<BusinessId>[0-9]*?)<\/"

or

| rex field=msg "BusinessId>(?P<BusinessId>[^<]*)<\/"

ITWhisperer · ‎11-15-2022

You could try

| rex max_match=1 field=msg "BusinessId>(?P<BusinessId>[0-9]*)<\/"

or

| eval BusinessId=mvindex(BusinessId,0)

How to read only the first value to make a report?

saved search

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...