Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i extract keywords from my log as field values for field name API's

Sujithkumarkb
Observer
‎01-09-2020 03:52 AM

How can i extract the below block letter keywords (OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ..)from my log as field values for field name API's?

2020-01-09 03:58:08,280 INFO com.hti.gw.interceptor.ServiceInterceptor (Hughes_Tre13342)
<OrderUpdateWithAccountInfoRequest ** xmlns:ns5=".......
2020-01-08 06:25:25,836 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <VinValidationRequest** xmlns:ns2="http://www.hughestelematics.com.....
2020-01-08 06:25:25,546 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <GetEntitledRequest xmlns:ns2="ht......
2020-01-08 06:20:13,637 INFO com.vzt.pg.AbstractMiddlewareDelegate
(AMP_RptDqckdAsT5ldcFG8eh_9wiiwnvakzcdc66) <VinValidationRequest xmlns:ns2="http:/......

0 Karma
Reply

TISKAR
Builder
‎01-09-2020 06:53 AM

Hello :),

I simulate the extractation of API field, This is example to extract field API from log, you can past this request in your empty search and run it:

| makeresults
| eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
<OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> <second ligne>" 
| rex field=raw "OrderUpdateWithAccountInfoRequest[^API]+API=\"(?<API>[^\"]+)"
0 Karma
Reply

Sujithkumarkb
Observer
‎01-09-2020 10:22 PM

@TISKAR , thanks for your response but this rex is extracting only the value "Smile" and not OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ...

0 Karma
Reply

TISKAR
Builder
‎01-10-2020 12:29 AM

Try this:

| makeresults
 | eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
 <OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> <second ligne>" 
 | rex field=raw "<(?<API>\S+)"
0 Karma
Reply

Sujithkumarkb
Observer
‎01-10-2020 01:26 AM

@TISKAR , that works . This way i can extract one API at a time , But there are more than 400 APIs like OrderUpdateWithAccountInfoRequest ..
How can I generically run Rex and extract all APIs under the field API and save them as extracted field values

0 Karma
Reply

TISKAR
Builder
‎01-10-2020 02:16 AM

@Sujithkumarkb try to use max_match option of rex:

  | rex max_match=50 field=raw ".*<(?<API>\S+)"

Example:

| makeresults
  | eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
  <OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> 2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
  <TEST xmlns:ns5=\"....\" API=\"Smile\">" 
  | rex max_match=50 field=raw ".*<(?<API>\S+)"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-09-2020 05:20 AM

The rex command will do that at search time.

... | rex "\)\s+\<(?<API>\S+)" | ...
---
If this reply helps you, Karma would be appreciated.
Reply

Sujithkumarkb
Observer
‎01-09-2020 10:21 PM

@richgalloway Thanks for the response , but this rex is extracting only the value "?xml" and not OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2020 03:52 AM

Interesting. There is no "?xml" in your sample data so, of course, that was not tested. Is there anything else about the data we should know?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Sujithkumarkb
Observer
‎01-10-2020 04:42 AM

There is ?xml in the data , but that being extracted as the field value is not expected .
The expected extraction is OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest etc shown on the raw data .

The data is api requests that are made , where i am trying to capture the API names and once filtered for it on dashboard , i will be populating its respective responses .
for example OrderUpdateWithAccountInfoRequest is a API request which i would want to add as a value in multselect and once it is selected i would populate the OrderUpdateWithAccountInfoResponse xml from raw data as output.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top