Hi I have logs of these events
it contains requestID with some listType
and in response it can contain requestID with recordType
and I need have something like
listType email / 20x B / 13x W
listType phone / 10xB / 11x W
but with one event containing multiple requestID and each can be for different listType not sure how to do it.
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<ns2:searchResponse xmlns:ns2="http://**********">
<ns2:records>
<ns2:requestId>11111111</ns2:requestId>
<ns2:recordType>B</ns2:recordType>
</ns2:records>
<ns2:records>
<ns2:requestId>2222222</ns2:requestId>
<ns2:recordType>W</ns2:recordType>
</ns2:records>
<ns2:records>
<ns2:requestId>3333333333333</ns2:requestId>
<ns2:recordType>W</ns2:recordType>
</ns2:records>
</ns2:searchResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>] for request [<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<trl:searchRequest xmlns:trl="http://**********">
<trl:records>
<trl:requestId>11111111</trl:requestId>
<trl:listType>email</trl:listType>
....
</trl:records>
<trl:records>
<trl:requestId>3333333333333</trl:requestId>
<trl:listType>phone</trl:listType>
.....
</trl:records>
....
</trl:searchRequest>
</env:Body>
</env:Envelope>
2 approaches
define your event breaking rules at indextime for your sourcetype to break that xml into several small events.
but then all the other fields will be disconnected from the events.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking
or index at it is, and at search time, try to use the | spath command to parse the xml and get the fields stored in a multivalue field structure.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xpath