Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone help me extract a string from a raw XML log?

KowsiSakthi
Engager
‎11-25-2018 10:14 PM

How do I use an eval field in a search command?

Hi
I have a Raw log with XML content in it.
ex:

2018-06-19 15:35:57,320 INFO  PAYLOAD - esb_event_time=2018-06-19 15:35:55.964|esb_environment=Dev2|esb_domain=esb-domain|esb_txn=****************|esb_service=student-sda-api|esb_token=null|esb_consumer=null|esb_digest=null|esb_nonce=null|esb_guid=null|esb_correlation_id=null|esb_conversation_id=null|esb_user_ref=null|esb_effective_user=null|esb_sender_machine=null|esb_uri_params=ParameterMap{[]}|esb_query_params=ParameterMap{[]}|esb_http_request_ui=/api/student-api/v1/retrievePPSDetails|esb_content_length=296|esb_host=localhost:8000|esb_user_agent=Apache-HttpClient/4.1.1 (java 1.5)|Accept=null|content-type=application/xml|esb_query_string=|esb_http_version=HTTP/1.1|esb__timestamp=null|esb_connection=Keep-Alive|esb_http_method=POST|esb_http.scheme=http|esb_http_request_path=/retrievestudentDetails|esb_http_listener_path=/api/*|esb_rte_tag=null|esb_operation=retrievestudentDetails|esb_event=esbMsgIn|esb_error_cd=|esb_msg_size=296|esb_time=0|esb_backend_time=0|esb_routing=null|

      <name></name>
      <age>26</age>
      <PIN>100100100</PIN>
      </Identification>

Here, I am extracting the XML content and trying to search for a particular string in XML 

ex: "100100100"

This search string will be entered dynamically in a text box. Can someone guide me how to search the above string in XML and return the matching XML

I tried to use the below command...

|index=_raw| eval searchString="$textInput$"|eval xml=mvindex(split(_raw,"|"),1)|search  searchString|table xml

...but it returns with no results found. But, if I directly search the string, say for ex: search "100100100", it is returning the corresponding XML. Kindly help me to resolve this issue.

Thanks
Sakthi
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎11-26-2018 07:26 AM

Give this a try

index=_raw 
|eval xml=mvindex(split(_raw,"|"),1)\
|search xml="*$textInput$*"
|table xml

OR

index=_raw 
|eval xml=mvindex(split(_raw,"|"),1)\
| where match(xml,"$textInput$")
|table xml

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎11-26-2018 07:26 AM

Give this a try

index=_raw 
|eval xml=mvindex(split(_raw,"|"),1)\
|search xml="*$textInput$*"
|table xml

OR

index=_raw 
|eval xml=mvindex(split(_raw,"|"),1)\
| where match(xml,"$textInput$")
|table xml
Reply
Solved! Jump to solution

KowsiSakthi
Engager
‎11-26-2018 10:39 PM

Hi somesoni2,
It worked!!!. Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...