Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group XML request events

Thulasinathan_M
Contributor
‎08-15-2023 02:19 AM

Hi Splunk Experts,

I've different XML request(100+ requests) as a multi-line event. Is it possible to stat these requests and get their count. But all these request would have any values between their tags and rex-ing all these request to stat them would be a difficult task, but is there any possible way to achieve this criteria. Any suggestion would be very much helpful!!. Thanks in advance!!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2023 02:36 AM

You can use spath to extract fields from XML (as well as JSON).

Perhaps if you could share some anonymised events, we might be able to advise you better.

0 Karma
Reply

Thulasinathan_M
Contributor
‎08-15-2023 02:48 AM

Hi @ITWhisperer!! Thanks for the assistance.
The Request 1 & Request 3 shares the same template, but the value passed in the tags are different, but I want to consider these two request as same, while using a stat command and expecting it to return count as '2' for request with books & genres as '1'


Request 1:

<?xml version="1.0"?>
<catalog>
   <book id="bk101">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
   </book>
</catalog>


Request 2:

<?xml version="1.0"?>
<catalog>
   <genres code="gc101">
      <genre>Romance</genre>  
      <genre>Horror</genre>     
      <genre>Science Fiction</genre>  
   </genres>
</catalog>


Request 3:

<?xml version="1.0"?>
<catalog>
   <book id="bk111">
      <author>O'Brien, Tim</author>
      <title>MSXML3: A Comprehensive Guide</title>
      <genre>Computer</genre>
      <price>36.95</price>
      <publish_date>2000-12-01</publish_date>
      <description>The Microsoft MSXML3 parser is covered in 
      detail, with attention to XML DOM interfaces, XSLT processing, 
      SAX and more.</description>
   </book>
</catalog>

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2023 03:02 AM

If you just want to count the first level keys within catalog, you could do this

| rex "<catalog>\s+<(?<key>\w+)"
| stats count by key
0 Karma
Reply

Thulasinathan_M
Contributor
‎08-15-2023 03:28 AM

There are no such differentiates, just to make clear on requirement I shared the sample xml request. The only difference we can identify is based on complete template.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-15-2023 03:44 AM

I am not sure I understand what you mean - here is a runanywhere example showing the extraction of the first level key from catalog and the stats count

| makeresults
| eval _raw="<?xml version=\"1.0\"?>
<catalog>
   <book id=\"bk101\">
      <author>Gambardella, Matthew</author>
      <title>XML Developer's Guide</title>
      <genre>Computer</genre>
      <price>44.95</price>
      <publish_date>2000-10-01</publish_date>
      <description>An in-depth look at creating applications 
      with XML.</description>
   </book>
</catalog>|<?xml version=\"1.0\"?>
<catalog>
   <genres code=\"gc101\">
      <genre>Romance</genre>  
      <genre>Horror</genre>     
      <genre>Science Fiction</genre>  
   </genres>
</catalog>|<?xml version=\"1.0\"?>
<catalog>
   <book id=\"bk111\">
      <author>O'Brien, Tim</author>
      <title>MSXML3: A Comprehensive Guide</title>
      <genre>Computer</genre>
      <price>36.95</price>
      <publish_date>2000-12-01</publish_date>
      <description>The Microsoft MSXML3 parser is covered in 
      detail, with attention to XML DOM interfaces, XSLT processing, 
      SAX and more.</description>
   </book>
</catalog>"
| eval xml=split(_raw,"|")
| mvexpand xml
| table xml
| rex field=xml "<catalog>\s+<(?<key>\w+)"
| stats count by key
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...