Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can i extract keywords from my log as field values for field name API's

Sujithkumarkb
Observer
‎01-09-2020 03:52 AM

How can i extract the below block letter keywords (OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ..)from my log as field values for field name API's?

2020-01-09 03:58:08,280 INFO com.hti.gw.interceptor.ServiceInterceptor (Hughes_Tre13342)
<OrderUpdateWithAccountInfoRequest ** xmlns:ns5=".......
2020-01-08 06:25:25,836 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <VinValidationRequest** xmlns:ns2="http://www.hughestelematics.com.....
2020-01-08 06:25:25,546 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <GetEntitledRequest xmlns:ns2="ht......
2020-01-08 06:20:13,637 INFO com.vzt.pg.AbstractMiddlewareDelegate
(AMP_RptDqckdAsT5ldcFG8eh_9wiiwnvakzcdc66) <VinValidationRequest xmlns:ns2="http:/......

0 Karma
Reply

TISKAR
Builder
‎01-09-2020 06:53 AM

Hello :),

I simulate the extractation of API field, This is example to extract field API from log, you can past this request in your empty search and run it:

| makeresults
| eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
<OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> <second ligne>" 
| rex field=raw "OrderUpdateWithAccountInfoRequest[^API]+API=\"(?<API>[^\"]+)"
0 Karma
Reply

Sujithkumarkb
Observer
‎01-09-2020 10:22 PM

@TISKAR , thanks for your response but this rex is extracting only the value "Smile" and not OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ...

0 Karma
Reply

TISKAR
Builder
‎01-10-2020 12:29 AM

Try this:

| makeresults
 | eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
 <OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> <second ligne>" 
 | rex field=raw "<(?<API>\S+)"
0 Karma
Reply

Sujithkumarkb
Observer
‎01-10-2020 01:26 AM

@TISKAR , that works . This way i can extract one API at a time , But there are more than 400 APIs like OrderUpdateWithAccountInfoRequest ..
How can I generically run Rex and extract all APIs under the field API and save them as extracted field values

0 Karma
Reply

TISKAR
Builder
‎01-10-2020 02:16 AM

@Sujithkumarkb try to use max_match option of rex:

  | rex max_match=50 field=raw ".*<(?<API>\S+)"

Example:

| makeresults
  | eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
  <OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> 2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
  <TEST xmlns:ns5=\"....\" API=\"Smile\">" 
  | rex max_match=50 field=raw ".*<(?<API>\S+)"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-09-2020 05:20 AM

The rex command will do that at search time.

... | rex "\)\s+\<(?<API>\S+)" | ...
---
If this reply helps you, Karma would be appreciated.
Reply

Sujithkumarkb
Observer
‎01-09-2020 10:21 PM

@richgalloway Thanks for the response , but this rex is extracting only the value "?xml" and not OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2020 03:52 AM

Interesting. There is no "?xml" in your sample data so, of course, that was not tested. Is there anything else about the data we should know?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Sujithkumarkb
Observer
‎01-10-2020 04:42 AM

There is ?xml in the data , but that being extracted as the field value is not expected .
The expected extraction is OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest etc shown on the raw data .

The data is api requests that are made , where i am trying to capture the API names and once filtered for it on dashboard , i will be populating its respective responses .
for example OrderUpdateWithAccountInfoRequest is a API request which i would want to add as a value in multselect and once it is selected i would populate the OrderUpdateWithAccountInfoResponse xml from raw data as output.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...