- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I use Rex or Regex to shorten up a tim...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I use Rex or Regex to shorten up a timechart search by removing xmlkv function?
I'm trying to shorten up a timechart search by removing the xmlkv function. I've tried numerous times using rex and regex but have been unsuccessful.
Current working search string takes to long to execute is this:
index=abc sourcetype=abc_123 | xmlkv | search somequery
| timechart count by somequery usenull=F useother=F
| rename Yes AS "somequery good" No AS "somequery bad"
In place of the xmlkv | search somequery I've tried regex_raw="NoALIQuery." and other variations. The search pulls results, but for the purpose of timechart it shows them as only Null. I need them to show the somequery field true values of Yes or No
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without seeing an example of the data you have and specifically the field you want to extract - you may find help with the below.
If you want to extract the value of the "gender" element from the following example XML:
<person>
<gender>female</gender>
<firstname>Anna</firstname>
<lastname>Smith</lastname>
</person>
You would replace the xmlkv command with the following rex command:
rex field=_raw "gender=\"(?<gender>.*?)\""
If instead you want to extract the value of the gender attributefrom the following example XML:
<person gender="female">
<firstname>Anna</firstname>
<lastname>Smith</lastname>
</person>
Then in this case you would replace the xmlkv command with the following rex command:
rex field=_raw "\<gender\>(?<gender>.*?)\<\/gender\>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its like your first example -
now in using this example. if the expected results for gender is male or female, how to I use that data to create a timechart? If I use:
timechart count by gender
The results all show as NULL. I would like them to show male or female
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you add a sample of the node that you need to extract?
You can either use spath to traverse and extract only the node you are interested in or else use rex to extract based on start and end pattern.
Please add some sample event or mock data for the community to assist.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you perhaps show what your data looks like and what exactly you are trying to accomplish with that | xmlkv | search somequery part? Maybe give an example of the output you want from this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
each search result has dozens of lines of xml formatted data. I'm only concerned with the data in one field (it will either be Yes or No). XMLKV would parse all the data and allow a search, but it takes a long time based on the amount of data. I want to look at the single field only for the purpose of this seaech / timechart
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
