Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting xml tags in raw event

ajaysamantbms
Explorer
‎12-15-2013 05:03 PM

my event records are xml based as shown below coming in from one file, one sourcetype-
12........
..... // inside transaction tag i can contain anything
.....
.....
.....
.....
.....
.....
I am able to extract child tags inside each one - thats not an issue.
But how do i count how many records were of type Transaction and how many were of type Error.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2013 11:06 AM

Try following 

sourcetype=gatewaylogs1 |  rex "^\<(?<eventType>[^\>]+)" | stats count by eventType

This should give your count of event for transaction/error.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-16-2013 11:06 AM

Try following 

sourcetype=gatewaylogs1 |  rex "^\<(?<eventType>[^\>]+)" | stats count by eventType

This should give your count of event for transaction/error.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-16-2013 04:37 AM

Try this

sourcetype=gatewaylogs1 "<transaction>" OR "<error>" 
| eval type=case (match(_raw,"\<transaction\>", "Transaction",  match(_raw,"\<error\>", "Error")
| stats count by type

if the transaction contains an XML error field, it will be counted only as a transaction, not as an error

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-16-2013 03:14 PM

Well, your search isn't filtering out anything, so it will certainly have all the events from gatewaylogs1. I have updated the search. But not sure yet if it will work.

0 Karma
Reply
Solved! Jump to solution

ajaysamantbms
Explorer
‎12-16-2013 08:28 AM

Tried this

sourcetype=gatewaylogs1 | eval type=case ( match(_raw,"<error>"), "Error", match(_raw,"<transaction>"), "Transaction" ) | stats count by type

No errors...but no output..all it says 16 events..shows number of events..16 events (before 12/16/13 11:25:23.000 AM ) but no output in Statistics tab

And 16 is total events including events that has tags which i wanted to filter..so this query is really not doing anything..

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-15-2013 10:11 PM

how are you extracting fields? Using regular expression for each field or using spath?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...