Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting field from JSON and XML response

dbautist
Explorer
‎02-25-2013 11:29 AM

Depending on the content-type, the response that is logged is either in JSON or XML. I want to create a single query that would extract the REQUEST and DETAIL regardless of what the content-type is. I'm thinking I'd have to use spath, but I'm having a hard time grabbing the response between the "------------" and "<<<<<<<<<<<". I tried escaping it but no luck. Any help would be appreciated.

Note that these are 2 different log events.

2013-02-23 22:36:11,900 ID=[12345] >>>>>>>>>> > HTTP STATUS (400) POST https://myapi/test > content-type: application/xml > accept: application/xml > host: test.com > content-length: 249 > connection: Keep-Alive > <?xml version="1.0" encoding="utf-8"?>johndoe12345 ++++++++++ > Content-Type: application/xml > Cache-Control: no-cache, no-transform > = <?xml version="1.0" encoding="UTF-8"?> 400 myapi INVALID_LASTNAME TEST EXPECTED: LENGTH TOO SHORT ------------ <?xml version="1.0" encoding="UTF-8"?> 400 myapi INVALID_LASTNAME TEST EXPECTED: LENGTH TOO SHORT <<<<<<<<<<<

2013-02-23 22:36:11,900 ID=[12345] >>>>>>>>>> > HTTP STATUS (400) POST https://myapi/test > content-type: application/json; charset=utf-8 > accept: application/json > host: test.com > content-length: 74 > Expect: 100-continue > connection: Keep-Alive > {"firstname":"john","lastname":"doe","id":"12345"} ++++++++++ > Content-Type: application/json > Cache-Control: no-cache, no-transform > = { "status" : 400, "source" : "myapi", "code" : "INVALID_LASTNAME", "detail" : [ { "type" : "TEST", "annotation" : "EXPECTED: LENGTH TOO SHORT" } ] } ------------ { "status" : 400, "source" : "myapi", "code" : "INVALID_LASTNAME", "detail" : [ { "type" : "TEST", "annotation" : "EXPECTED: LENGTH TOO SHORT" } ] } <<<<<<<<<<<

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2013 12:56 PM

I was bored...

| gentimes start=-1 increment=5m | head 2 | eval tmp = if(starttime%600==0,"2013-02-23 22:36:11,900 ID=[12345] >>>>>>>>>> > HTTP STATUS (400) POST https://myapi/test > content-type: application/xml > accept: application/xml > host: test.com > content-length: 249 > connection: Keep-Alive > <?xml version=\"1.0\" encoding=\"utf-8\"?><request><firstname>john</firstname><lastname>doe</lastname><id>12345</id></request> ++++++++++ > Content-Type: application/xml > Cache-Control: no-cache, no-transform > = <?xml version=\"1.0\" encoding=\"UTF-8\"?> <error> <status>400</status> <source>myapi</source> <code>INVALID_LASTNAME</code> <detail> <type>TEST</type> <annotation>EXPECTED: LENGTH TOO SHORT</annotation> </detail> </error> ------------ <?xml version=\"1.0\" encoding=\"UTF-8\"?> <error> <status>400</status> <source>myapi</source> <code>INVALID_LASTNAME</code> <detail> <type>TEST</type> <annotation>EXPECTED: LENGTH TOO SHORT</annotation> </detail> </error> <<<<<<<<<<<","2013-02-23 22:36:11,900 ID=[12345] >>>>>>>>>> > HTTP STATUS (400) POST https://myapi/test > content-type: application/json; charset=utf-8 > accept: application/json > host: test.com > content-length: 74 > Expect: 100-continue > connection: Keep-Alive > {\"firstname\":\"john\",\"lastname\":\"doe\",\"id\":\"12345\"} ++++++++++ > Content-Type: application/json > Cache-Control: no-cache, no-transform > = { \"status\" : 400, \"source\" : \"myapi\", \"code\" : \"INVALID_LASTNAME\", \"detail\" : [ { \"type\" : \"TEST\", \"annotation\" : \"EXPECTED: LENGTH TOO SHORT\" } ] } ------------ { \"status\" : 400, \"source\" : \"myapi\", \"code\" : \"INVALID_LASTNAME\", \"detail\" : [ { \"type\" : \"TEST\", \"annotation\" : \"EXPECTED: LENGTH TOO SHORT\" } ] } <<<<<<<<<<<") | rex field=tmp "(?<req_xml>\<\?xml .+?)\s+\+{8}.*?-{8,}\s+(?<resp_xml>\<\?xml .*?)\s+\<{8,}" | rex field=tmp "\>\s+(?<req_json>\{.*?)\s+\+{8,}.*?-{8,}\s+(?<resp_json>\{.*?)\s+\<{8,}" | spath input=req_xml output=firstname path=request.firstname | spath input=req_xml output=lastname path=request.lastname | spath input=req_xml output=id path=request.id | spath input=req_json output=firstname path=firstname | spath input=req_json output=lastname path=lastname | spath input=req_json output=id path=id | spath input=resp_xml output=detail_type path=error.detail.type | spath input=resp_xml output=detail_annotation path=error.detail.annotation | spath input=resp_json output=detail_type path=detail{}.type | spath input=resp_json output=detail_annotation path=detail{}.annotation | fields - *xml *json

The juicy bits are in the bottom nine or so lines.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-25-2013 11:01 PM

I am aware of that - if you run the above query you'll see two events treated equally.

0 Karma
Reply

dbautist
Explorer
‎02-25-2013 04:00 PM

Thanks martin. The two logs above are actually 2 different events.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...