Splunk Search

Help with Search in XML file-Multiple lines data for validation of HTTP response content validation for API calls

rpachamuthu
Explorer

I am new to Splunk query 

I need to capture the  filed value of tn "Subscription_S04_LookupInvoiceStatus" and Response data(Highlighted bold in the below XML file) for the corresponding "tn" filed value and display under statistics.

"Subscription_S04_LookupInvoiceStatus" value present multiple times in the XML file   and Response data for the corresponding "tn" filed value, I want to query for unique one(Remove duplicates)

I tried the below query, but its not pulling the response Data.

Kindly help me  it would be great help

 

"Query I tried:

index=perf-*** host=****** source=/home/JenkinsSlave/JenkinsSlaveDir/workspace/*/project/logs/*SamplerErrors.xml | eval tn=replace(tn,"\d{1}\d+","") | rex d"<responseData class=\"java\.lang\.String\">?{(?P<Response_Data1>[\w\D]+)<\/java.net.URL>" | dedup tn | stats count by tn,Response_Data1 |rex field=Response_Data1 max_match=2 "<responseData class=\"java\.lang\.String\">?{(?P<Response_Data2>[\w\D]+)<\/java.net.URL>" | eval Response_Data2=if(mvcount(Response_Data2)=2, mvindex(Response_Data2, 2), Response_Data2)

XML Data:

--------------------

</sample>
<sample t="48" lt="0" ts="1662725857475" s="true" lb="HealthCheck_Subscription_S04_LookupInvoiceStatus_T01_LookupInvoiceStatus" rc="200" rm="Number of samples in transaction : 1, number of failing samples : 0" tn="Subscription_S04_LookupInvoiceStatus 1-1" dt="" by="465" ng="1" na="1">
<httpSample t="48" lt="48" ts="1662725858479" s="true" lb="EDI2" rc="200" rm="OK" tn="Subscription_S04_LookupInvoiceStatus 1-1" dt="text" by="465" ng="1" na="1">
<responseHeader class="java.lang.String">HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 12:17:38 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Content-Encoding: gzip </responseHeader>
<requestHeader class="java.lang.String">Connection: keep-alive content-type: application/json Authorization: Bearer test_***** Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 perftest: true Content-Length: 40 Host: stage-subscription.teslamotors.com X-LocalAddress: /10.33.51.205 </requestHeader>
<responseData class="java.lang.String">{"orderRefId":"****","productName":"***","country":"NL","invoiceInformation":[{"uniqueOrderId":"****","amount":**,"currency":null,"invoiceStatus":"**","dueDate":null,"cycleStartDate":"**","cycleEndDate":"*****","paymentDate":"****"}]}</responseData>
<responseFile class="java.lang.String"/>
<cookies class="java.lang.String"/>
<method class="java.lang.String">POST</method>
<queryString class="java.lang.String">{ "OrderRefId": "*****"}</queryString>

Labels (5)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @rpachamuthu,

Please try below sample;

index=perf-*** host=****** source=/home/JenkinsSlave/JenkinsSlaveDir/workspace/*/project/logs/*SamplerErrors.xml
| spath 
| rename *{@*} as *_* 
| stats values("sample.httpSample.responseData") as responseData by sample_tn
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @rpachamuthu,

Please try below sample;

index=perf-*** host=****** source=/home/JenkinsSlave/JenkinsSlaveDir/workspace/*/project/logs/*SamplerErrors.xml
| spath 
| rename *{@*} as *_* 
| stats values("sample.httpSample.responseData") as responseData by sample_tn
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

rpachamuthu
Explorer

Could you please someone help me

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The first rule is not try to extract structured data using rex.  Either set the sourcetype to extract XML automatically (see KV_MODE in Field extraction configuration), or if XML is not automatically extracted, use spath command.  After that, you should have a field sample{@tn} ready to be used, together with a plethora of other fields structured in the XML.

Tags (2)
0 Karma

rpachamuthu
Explorer

Hi @yuanliu ,

Thank you for your response,

I am having challenges for creating field for "Response Data" and display next to  "tn" field 

Please help me with any sample query if possible

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...