Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I extract specific data from a complex...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jtracy
Engager
05-18-2016
02:09 PM
So I've been reading around and most people point to xpath, but after hours of troubleshooting I can't seem to get it to work in my scenario. I'm trying to extract decision and reasoncode as fields and report on them, but I just can't seem to get Splunk to recognize them in all of the outputs.
So far I have this search working to report all failures (kind of). But I'm hoping for something better.
Sample Search:
host=relevanthost "<c:decision>" "<c:reasonCode>" NOT "<c:decision>ACCEPT</c:decision>"
|xmlkv |timechart count by c:reasonCode limit=25
Sample Code:
[2016-05-timestampstuff] [HOSTNAME] [NOTIFICATION] [numbers] [oracle.router.stuff] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <fakeuser>] [ecid: fakenumbersandlettersecid] [oracle.soa.tracking.FlowId: 000000000] [oracle.soa.tracking.InstanceId: 000000000] [oracle.soa.tracking.SCAEntityId: 00000] [FlowId:fakenumbersandletters] [[
[OSB Tracing] Entering pipeline pair Process Request with message context:
[MessageContextImpl uid="fakeuidlettersandnumbers"
body="<soap:Body xmlns:soap="http://schemas.fake.url/soap/stuff">
<c:replyMessage xmlns:c="urn:fake.data.here">
<c:merchantReferenceCode>0000000000</c:merchantReferenceCode>
<c:requestID>0000000000000000000000</c:requestID>
<c:decision>ACCEPT</c:decision>
<c:reasonCode>100</c:reasonCode>
<c:requestToken>faketokenlettersandnumbers</c:requestToken>
<c:purchaseTotals>
<c:currency>USD</c:currency>
</c:purchaseTotals>
<c:ccAuthReply>
<c:reasonCode>100</c:reasonCode>
<c:amount>99.99</c:amount>
<c:authorizationCode>000000</c:authorizationCode>
<c:avsCode>X</c:avsCode>
<c:avsCodeRaw>A3</c:avsCodeRaw>
<c:cvCode>S</c:cvCode>
<c:cvCodeRaw>S</c:cvCodeRaw>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-18-2016
02:23 PM
If you're only interested in the two fields, you're probably better off using rex. Like this
.... | rex ield=_raw "decision\>(?<decision>[^\<]+)\<" | rex field=_raw "reasonCode\>(?<reasonCode>[^\<]+)\<\/" | where decision!="ACCEPT" | timechart count by reasonCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-18-2016
02:23 PM
If you're only interested in the two fields, you're probably better off using rex. Like this
.... | rex ield=_raw "decision\>(?<decision>[^\<]+)\<" | rex field=_raw "reasonCode\>(?<reasonCode>[^\<]+)\<\/" | where decision!="ACCEPT" | timechart count by reasonCode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jtracy
Engager
05-18-2016
03:17 PM
This worked! Thanks! Would I be able to somehow use this to extrapolate what percentage each value for reasonCode represents in all results with "ACCEPT" as a value for decision in a timechart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
05-18-2016
03:51 PM
Try this
.... | rex ield=_raw "decision\>(?<decision>[^\<]+)\<" | rex field=_raw "reasonCode\>(?<reasonCode>[^\<]+)\<\/" | where decision!="ACCEPT" | eventstats count as total by reasonCode | eval p=1/total | bin span=1d _time as time | stats sum(p) as perc by time reasonCode | eval perc=tostring(round(perc, 2), "commas") | eval time=strftime(time, "%x %X") | xyseries time reasonCode perc
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
