Splunk Search

Help with Search in XML file-Multiple lines data for validation of HTTP response content validation for API calls

rpachamuthu
Engager

I am new to Splunk query 

I need to capture the  filed value of tn "Subscription_S04_LookupInvoiceStatus" and Response data(Highlighted bold in the below XML file) for the corresponding "tn" filed value and display under statistics.

"Subscription_S04_LookupInvoiceStatus" value present multiple times in the XML file   and Response data for the corresponding "tn" filed value, I want to query for unique one(Remove duplicates)

I tried the below query, but its not pulling the response Data.

Kindly help me  it would be great help

 

"Query I tried:

index=perf-*** host=****** source=/home/JenkinsSlave/JenkinsSlaveDir/workspace/*/project/logs/*SamplerErrors.xml | eval tn=replace(tn,"\d{1}\d+","") | rex d"<responseData class=\"java\.lang\.String\">?{(?P<Response_Data1>[\w\D]+)<\/java.net.URL>" | dedup tn | stats count by tn,Response_Data1 |rex field=Response_Data1 max_match=2 "<responseData class=\"java\.lang\.String\">?{(?P<Response_Data2>[\w\D]+)<\/java.net.URL>" | eval Response_Data2=if(mvcount(Response_Data2)=2, mvindex(Response_Data2, 2), Response_Data2)

XML Data:

--------------------

</sample>
<sample t="48" lt="0" ts="1662725857475" s="true" lb="HealthCheck_Subscription_S04_LookupInvoiceStatus_T01_LookupInvoiceStatus" rc="200" rm="Number of samples in transaction : 1, number of failing samples : 0" tn="Subscription_S04_LookupInvoiceStatus 1-1" dt="" by="465" ng="1" na="1">
<httpSample t="48" lt="48" ts="1662725858479" s="true" lb="EDI2" rc="200" rm="OK" tn="Subscription_S04_LookupInvoiceStatus 1-1" dt="text" by="465" ng="1" na="1">
<responseHeader class="java.lang.String">HTTP/1.1 200 OK Date: Fri, 09 Sep 2022 12:17:38 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Content-Encoding: gzip </responseHeader>
<requestHeader class="java.lang.String">Connection: keep-alive content-type: application/json Authorization: Bearer test_***** Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 perftest: true Content-Length: 40 Host: stage-subscription.teslamotors.com X-LocalAddress: /10.33.51.205 </requestHeader>
<responseData class="java.lang.String">{"orderRefId":"****","productName":"***","country":"NL","invoiceInformation":[{"uniqueOrderId":"****","amount":**,"currency":null,"invoiceStatus":"**","dueDate":null,"cycleStartDate":"**","cycleEndDate":"*****","paymentDate":"****"}]}</responseData>
<responseFile class="java.lang.String"/>
<cookies class="java.lang.String"/>
<method class="java.lang.String">POST</method>
<queryString class="java.lang.String">{ "OrderRefId": "*****"}</queryString>

Labels (5)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @rpachamuthu,

Please try below sample;

index=perf-*** host=****** source=/home/JenkinsSlave/JenkinsSlaveDir/workspace/*/project/logs/*SamplerErrors.xml
| spath 
| rename *{@*} as *_* 
| stats values("sample.httpSample.responseData") as responseData by sample_tn
If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @rpachamuthu,

Please try below sample;

index=perf-*** host=****** source=/home/JenkinsSlave/JenkinsSlaveDir/workspace/*/project/logs/*SamplerErrors.xml
| spath 
| rename *{@*} as *_* 
| stats values("sample.httpSample.responseData") as responseData by sample_tn
If this reply helps you an upvote is appreciated.
0 Karma

rpachamuthu
Engager

Could you please someone help me

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The first rule is not try to extract structured data using rex.  Either set the sourcetype to extract XML automatically (see KV_MODE in Field extraction configuration), or if XML is not automatically extracted, use spath command.  After that, you should have a field sample{@tn} ready to be used, together with a plethora of other fields structured in the XML.

Tags (2)
0 Karma

rpachamuthu
Engager

Hi @yuanliu ,

Thank you for your response,

I am having challenges for creating field for "Response Data" and display next to  "tn" field 

Please help me with any sample query if possible

0 Karma
Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...