Splunk Search

How can I create a table of results from my XML data?

Path Finder

Given the following event log XML (sample) data:

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!--This file represents the results of running a test suite-->
<test-results total="2" errors="0" failures="1" not-run="2" inconclusive="0" ignored="2" skipped="0" invalid="0" date="2015-08-18" time="12:36:04">
  <test-suite type="Assembly" name="Smoke.Tests.dll" executed="True" result="Failure" success="False" time="40.000" asserts="0">
    <results>
      <test-suite type="Namespace" name="MyTestSuite" executed="True" result="Failure" success="False" time="40.000" asserts="0">
        <results>
          <test-suite type="TestFixture" name="Feature1" description="Description1" executed="True" result="Success" time="20.000">
            <results>
              <test-case name="Test1" description="TestDescription1" executed="True" result="Success"/>
            </results>
          </test-suite>
          <test-suite type="TestFixture" name="Feature2" description="Description2" executed="False" result="Ignored">
            <results>
              <test-case name="Test2" description="TestDescription2" executed="False" result="Ignored"/>
            </results>
          </test-suite>
          <test-suite type="TestFixture" name="Feature3" description="Description3" executed="True" result="Fail" time="20.000">
            <results>
              <test-case name="Test3" description="TestDescription3" executed="True" result="Fail"/>
            </results>
          </test-suite>
          <test-suite type="TestFixture" name="Feature14" description="Description4" executed="False" result="Ignored">
            <results>
              <test-case name="Test4" description="TestDescription4" executed="False" result="Ignored"/>
              <test-case name="Test5" description="TestDescription5" executed="False" result="Ignored"/>
              <test-case name="Test6" description="TestDescription6" executed="False" result="Ignored"/>
            </results>
          </test-suite>
        </results>
      </test-suite>
    </results>
  </test-suite>
</test-results>

Is it possible to generate 2 tables of results similar to that below (includes 'group' data too) for only those Test Fixtures where executed=True:

Name          Description     Result      TimeTaken
Feature1      Description1    Success      20.000
Feature3      Description3    Fail         20.000

Date        Time          Ran       Ignored   Failed  Errored  TotalTime
2015-08-18  12:36:04      2         2          1       0        40.000

Motivator

Two things you need to consider.

1) spath has an extraction cutoff that its default is the first 5000 bytes. So if your XML event is greater than 5000 bytes. spath will not extract all fields.
2) It your event is greater than 10K characters. You need to assure that the whole event is ingested and not truncated.

To address these two cases you could use the following configuration files:

1) /opt/splunk/etc/system/local/inputs.conf

[your_sourcetype_name]
TRUNCATE = 0

2) /opt/splunk/etc/system/local/limits.conf

[spath]
extraction_cutoff = 10000

Then, restart splunk.

I hope it helps...
Lp

For more information
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Limitsconf
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Inputsconf

0 Karma

Path Finder

I've read about this, and did mention the 5000 limit in my last comment. However, as useful as this is, it is not an answer to the question.

The question is how to obtain multiple XML query results (i.e. from multiple elements that match the query) from a each single XML event log and display them as a table.

Thanks.

0 Karma

Path Finder

I can generate the summary results using the following:

sourcetype="xml" | spath output="Total" path=test-results.test-suite{1}{@time} | rename total as "Ran" |  rename success as "Overall Result" | table date, time, "Ran",  ignored, failures, errors, "TotalTime"

(Please ignore the namings of the headers)
As these fileds are automatically generated by Splunk (I assume from the processing of the first 5000 chars of the file - though I can't get to any Splunk Server config files).

0 Karma