Splunk Search

How to create a regex for multiple headers and header values?

kmaron
Motivator

I'm still not overly comfortable with regex and this has completely stumped me so I'm looking for help. I'm trying to break up this XML into fields so I can show them on a dashboard in my inline search.

My event looks like this:

            <Header name="$WSIS">
                <Value>false</Value>
            </Header>
            <Header name="$WSPR">
                <Value>HTTP/1.1</Value>
            </Header>
            <Header name="$WSRA">
                <Value>##.#.##.##1</Value>
            </Header>
            <Header name="$WSRH">
                <Value>##.#.##.##2</Value>
            </Header>
            <Header name="$WSSC">
                <Value>http</Value>
            </Header>
            <Header name="$WSSN">
                <Value>www.website.com</Value>
            </Header>
            <Header name="$WSSP">
                <Value>80</Value>
            </Header>

I need to break out each Header name and keep it with it's value so that I can show a table of each header name and subsequent value.

I can get the individual fields but I haven't been able to keep them paired up.

0 Karma
1 Solution

sudosplunk
Motivator

Hi there,

Can you give this a try and see if it works for you. You can run this search as is.

| makeresults 
| eval _raw = "<Header name=\"$WSIS\"><Value>false</Value></Header><Header name=\"$WSPR\"><Value>HTTP/1.1</Value></Header><Header name=\"$WSRA\"><Value>##.#.##.##1</Value></Header><Header name=\"$WSRH\"><Value>##.#.##.##2</Value></Header><Header name=\"$WSSC\"><Value>http</Value></Header><Header name=\"$WSSN\"><Value>www.website.com</Value></Header><Header name=\"$WSSP\"><Value>80</Value></Header>" 
| spath output=name path=Header{@name} 
| spath output=Value path=Header.Value 
| table name Value

If you want to test this against your data, then add below at the end of your search and modify name and value appropriately.
...
| spath output=name path=Header{@name}
| spath output=Value path=Header.Value
| table name Value

View solution in original post

0 Karma

sudosplunk
Motivator

Hi there,

Can you give this a try and see if it works for you. You can run this search as is.

| makeresults 
| eval _raw = "<Header name=\"$WSIS\"><Value>false</Value></Header><Header name=\"$WSPR\"><Value>HTTP/1.1</Value></Header><Header name=\"$WSRA\"><Value>##.#.##.##1</Value></Header><Header name=\"$WSRH\"><Value>##.#.##.##2</Value></Header><Header name=\"$WSSC\"><Value>http</Value></Header><Header name=\"$WSSN\"><Value>www.website.com</Value></Header><Header name=\"$WSSP\"><Value>80</Value></Header>" 
| spath output=name path=Header{@name} 
| spath output=Value path=Header.Value 
| table name Value

If you want to test this against your data, then add below at the end of your search and modify name and value appropriately.
...
| spath output=name path=Header{@name}
| spath output=Value path=Header.Value
| table name Value

0 Karma

kmaron
Motivator

I don't really understand how what you're showing me will work with my event. your raw is not at all like mine.

0 Karma

sudosplunk
Motivator

Sorry, I forgot to paste it in Code sample.Splunk doesn't properly catch xml tags if not pasted in Code sample. I modified my comment above. Please note that I escaped " to satisfy eval.

0 Karma

kmaron
Motivator

okay with your run anywhere example it works great. But I don't see how I make that work for my actual data. Maybe I didn't provide enough info. The list of headers is only a portion of a 500 line block of XML

0 Karma

sudosplunk
Motivator

Can you provide how actual headers and values look like. You can mask unwanted info.

0 Karma

kmaron
Motivator
<WebError email="###" jira="###" application_name="###" uuid="###" classType="com.###.xml.gen.WebError" dateTime="2018-08-02T07:41:34.685-04:00">
    <Throwable classType="java.lang.IllegalStateException" value="java.lang.IllegalStateException" message="null" runningTotal="1">
        <Details>java.lang.IllegalStateException
    at com.ibm.ws.session.http.HttpSessionImpl.isNew(HttpSessionImpl.java:313)
    at com.ibm.ws.session.SessionContext.doSecurityCheck(SessionContext.java:559)
    at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:519)
    at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:426)
    at com.ibm.ws.webcontainer.srt.SRTRequestContext.getSession(SRTRequestContext.java:113)
    at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:2212)
    at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:2196)
    at com.aoins.logging.LoggerFilter.doFilter(LoggerFilter.java:35)
    at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
    at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107)
    at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:949)
    at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
    at com.ibm.ws390.xmem.proxy.channel.XMemProxySRInboundConnLink.ready(XMemProxySRInboundConnLink.java:105)
    at com.ibm.ws390.xmem.proxy.channel.XMemProxySRInboundChannel.processNewConnection(XMemProxySRInboundChannel.java:123)
    at com.ibm.ws390.xmem.proxy.XMemProxySRCppUtilities.httpinvoke(XMemProxySRCppUtilities.java:150)
    at com.ibm.ws390.orb.ServerRegionBridge.httpinvoke(ServerRegionBridge.java:213)
    at com.ibm.ws390.orb.CommonBridge.getAndProcessWork(CommonBridge.java:683)
    at com.ibm.ws390.orb.CommonBridge.runApplicationThread(CommonBridge.java:614)
    at com.ibm.ws.util.ThreadPool$ZOSWorker.run(ThreadPool.java:2127)
</Details>
    </Throwable>
    <Request>
        <Session created="true">
            <SessionInfo valid="true" source="COOKIE" id="###" creationTime="2018-08-02T07:41:34.359-04:00" lastAccessedTime="2018-08-02T07:41:34.680-04:00" maxInactiveInterval="1800" new="false"/>
        </Session>
        <Parameters/>
        <Attributes>
            <ApplicationScope>
                <Attribute name="com.ibm.websphere.servlet.application.classpath" value="*VALUE REMOVED*" classType="java.lang.String"/>
                <Attribute name="com.ibm.websphere.servlet.application.host" value="###" classType="java.lang.String"/>
                <Attribute name="com.ibm.websphere.servlet.application.name" value="###" classType="java.lang.String"/>
                <Attribute name="com.ibm.websphere.servlet.enterprise.application.name" value="###" classType="java.lang.String"/>
                <Attribute name="com.ibm.websphere.servlet.event.ServletContextEventSource" value="com.ibm.ws.webcontainer.webapp.WebAppEventSource@a0f4f3f7" classType="com.ibm.ws.webcontainer.webapp.WebAppEventSource"/>
                <Attribute name="com.ibm.ws.jsf.JSF_IMPL_ENABLED" value="None" classType="com.ibm.ws.jsf.JSFConstants$JSFImplEnabled"/>
                <Attribute name="com.ibm.ws.jsp.servletContextListeners.contextInitialized" value="true" classType="java.lang.String"/>
                <Attribute name="com.ibm.ws.webcontainer.config.WelcomeFileList" value="[index.html, index.htm, index.jsp]" classType="java.util.ArrayList"/>
                <Attribute name="com.ibm.ws.webcontainer.webAppPmiListener" value="com.ibm.ws.webcontainer.WebAppPmiListener@439c3f08" classType="com.ibm.ws.webcontainer.WebAppPmiListener"/>
                <Attribute name="com.ibm.wsspi.portletcontainer" value="com.ibm.ws.portletcontainer.pcinvoker.PortletContainerImpl@2a527a26" classType="com.ibm.ws.portletcontainer.pcinvoker.PortletContainerImpl"/>
                <Attribute name="CONFIGURATION_CONTEXT" value="org.apache.axis2.context.ConfigurationContext@c9df7dbd" classType="org.apache.axis2.context.ConfigurationContext"/>
                <Attribute name="javax.faces.validator.beanValidator.ValidatorFactory" value="com.ibm.ws.beanvalidation.WASProxyValidatorFactory@1011fd1c" classType="com.ibm.ws.beanvalidation.WASProxyValidatorFactory"/>
                <Attribute name="javax.servlet.context.tempdir" value="###" classType="java.io.File"/>
                <Attribute name="JCDI_ENABLED" value="false" classType="java.lang.Boolean"/>
                <Attribute name="org.apache.jasper.runtime.JspApplicationContextImpl" value="org.apache.jasper.runtime.JspApplicationContextImpl@4ebe686b" classType="org.apache.jasper.runtime.JspApplicationContextImpl"/>
                <Attribute name="org.apache.wink.server.internal.RequestProcessor" value="org.apache.wink.server.internal.RequestProcessor@fa506c7a" classType="org.apache.wink.server.internal.RequestProcessor"/>
                <Attribute name="org.springframework.web.context.support.ServletContextScope" value="org.springframework.web.context.support.ServletContextScope@b160b6b9" classType="org.springframework.web.context.support.ServletContextScope"/>
                <Attribute name="org.springframework.web.context.WebApplicationContext.ROOT" value="Root WebApplicationContext: startup date [Thu Aug 02 03:20:04 EDT 2018]; root of context hierarchy" classType="org.springframework.web.context.support.XmlWebApplicationContext"/>
                <Attribute name="org.springframework.web.servlet.FrameworkServlet.CONTEXT.Spring" value="WebApplicationContext for namespace 'Spring-servlet': startup date [Thu Aug 02 03:20:26 EDT 2018]; parent: Root WebApplicationContext" classType="org.springframework.web.context.support.AnnotationConfigWebApplicationContext"/>
                <Attribute name="###" value="org.apache.wink.server.internal.lifecycle.metadata.EJBMetadata@c7f8ea3b" classType="org.apache.wink.server.internal.lifecycle.metadata.EJBMetadata"/>
            </ApplicationScope>
            <SessionScope/>
            <RequestScope>
                <Attribute name="com.aoins.errorhandler.ErrorHandlerAttribute.EH_TIME" value="August 02, 2018 07:41:34 AM" classType="java.lang.String"/>
                <Attribute name="com.aoins.errorhandler.ErrorHandlerAttribute.EH_UUID" value="###" classType="java.lang.String"/>
                <Attribute name="com.ibm.servlet.engine.webapp.dispatch_nested" value="true" classType="java.lang.String"/>
                <Attribute name="com.ibm.servlet.engine.webapp.dispatch_type" value="forward" classType="java.lang.String"/>
                <Attribute name="ErrorReport" value="com.ibm.ws.webcontainer.webapp.WebAppErrorReport: java.lang.IllegalStateException" classType="com.ibm.ws.webcontainer.webapp.WebAppErrorReport"/>
                <Attribute name="javax.servlet.error.exception" value="java.lang.IllegalStateException" classType="java.lang.IllegalStateException"/>
                <Attribute name="javax.servlet.error.exception_type" value="class java.lang.IllegalStateException" classType="java.lang.Class"/>
                <Attribute name="javax.servlet.error.message" value="java.lang.IllegalStateException" classType="java.lang.String"/>
                <Attribute name="javax.servlet.error.request_uri" value="/V5/Auto/static/css/vehicleLookup.css" classType="java.lang.String"/>
                <Attribute name="javax.servlet.error.servlet_name" value="Static File wrapper" classType="java.lang.String"/>
                <Attribute name="javax.servlet.error.status_code" value="500" classType="java.lang.Integer"/>
                <Attribute name="javax.servlet.forward.context_path" value="###" classType="java.lang.String"/>
                <Attribute name="javax.servlet.forward.path_info" value="###" classType="java.lang.String"/>
                <Attribute name="javax.servlet.forward.request_uri" value="/V5/Auto/static/css/vehicleLookup.css" classType="java.lang.String"/>
                <Attribute name="javax.servlet.forward.servlet_path" value="" classType="java.lang.String"/>
                <Attribute name="javax.servlet.jsp.jspException" value="com.ibm.ws.webcontainer.webapp.WebAppErrorReport: java.lang.IllegalStateException" classType="com.ibm.ws.webcontainer.webapp.WebAppErrorReport"/>
            </RequestScope>
        </Attributes>
        <Cookies>
            ###
        </Cookies>
        <Headers>
            <Header name="$WSIS">
                <Value>false</Value>
            </Header>
            <Header name="$WSPR">
                <Value>HTTP/1.1</Value>
            </Header>
            <Header name="$WSRA">
                <Value>###</Value>
            </Header>
            <Header name="$WSRH">
                <Value>###</Value>
            </Header>
            <Header name="$WSSC">
                <Value>http</Value>
            </Header>
            <Header name="$WSSN">
                <Value>www.###.com</Value>
            </Header>
            <Header name="$WSSP">
                <Value>80</Value>
            </Header>
            <Header name="$WSXCTCONTEXTID">
                <Value>###</Value>
            </Header>
            <Header name="_WS_HAPRT_WLMVERSION">
                <Value>-1</Value>
            </Header>
            <Header name="Accept">
                <Value>text/css, */*</Value>
            </Header>
            <Header name="Accept-Language">
                <Value>en-US</Value>
            </Header>
            <Header name="Cookie">
                <Value>*VALUE REMOVED*</Value>
            </Header>
            <Header name="DNT">
                <Value>1</Value>
            </Header>
            <Header name="Host">
                <Value>###</Value>
            </Header>
            <Header name="If-Modified-Since">
                <Value>Mon, 30 Jul 2018 17:07:34 GMT</Value>
            </Header>
            <Header name="Referer">
                <Value>https://www.google.com</Value>
            </Header>
            <Header name="Surrogate-Capability">
                <Value>WS-ESI="ESI/1.0+"</Value>
            </Header>
            <Header name="User-Agent">
                <Value>Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko</Value>
            </Header>
            <Header name="clientip">
                <Value>###</Value>
            </Header>
            <Header name="ssodbg">
                <Value>3</Value>
            </Header>
            <Header name="TLSLog">
                <Value>TLSv1.2</Value>
            </Header>
            <Header name="Username">
                <Value>###</Value>
            </Header>
            <Header name="X-Forwarded-Proto">
                <Value>https</Value>
            </Header>
        </Headers>
        <OriginalRequestedURI>###</OriginalRequestedURI>
        <RequestedURI>###</RequestedURI>
        <OriginalQueryString>null</OriginalQueryString>
        <QueryString>null</QueryString>
        <ServletName>Static File wrapper</ServletName>
        <StatusCode>500</StatusCode>
        <CharacterEncoding>null</CharacterEncoding>
        <ContentLength>-1</ContentLength>
        <ContentType>null</ContentType>
        <Secure>true</Secure>
        <Method>GET</Method>
        <AuthorizationType>BASIC</AuthorizationType>
        <PathInfo>null</PathInfo>
        <PathTranslated>null</PathTranslated>
        <Client host="###" address="###" remoteUser="###" port="###">
            <Locale language="en" country="US"/>
        </Client>
        <Server host="###" port="###"/>
        <WASServer serverName="###" jobNumber="###"/>
        <LocalInterface host="###" address="###0" port="###"/>
    </Request>
</WebError>
0 Karma

sudosplunk
Motivator

Please run the search below and see if it works for you. If yes, all you need to is, add |spath at the end of your search query. More info about spath command.

| makeresults | eval _raw = "<WebError email=\"###\" jira=\"###\" application_name=\"###\" uuid=\"###\" classType=\"com.###.xml.gen.WebError\" dateTime=\"2018-08-02T07:41:34.685-04:00\">
     <Throwable classType=\"java.lang.IllegalStateException\" value=\"java.lang.IllegalStateException\" message=\"null\" runningTotal=\"1\">
         <Details>java.lang.IllegalStateException
     at com.ibm.ws.session.http.HttpSessionImpl.isNew(HttpSessionImpl.java:313)
     at com.ibm.ws.session.SessionContext.doSecurityCheck(SessionContext.java:559)
     at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:519)
     at com.ibm.ws.session.SessionContext.getIHttpSession(SessionContext.java:426)
     at com.ibm.ws.webcontainer.srt.SRTRequestContext.getSession(SRTRequestContext.java:113)
     at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:2212)
     at com.ibm.ws.webcontainer.srt.SRTServletRequest.getSession(SRTServletRequest.java:2196)
     at com.aoins.logging.LoggerFilter.doFilter(LoggerFilter.java:35)
     at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
     at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
     at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967)
     at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107)
     at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:87)
     at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:949)
     at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
     at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:200)
     at com.ibm.ws390.xmem.proxy.channel.XMemProxySRInboundConnLink.ready(XMemProxySRInboundConnLink.java:105)
     at com.ibm.ws390.xmem.proxy.channel.XMemProxySRInboundChannel.processNewConnection(XMemProxySRInboundChannel.java:123)
     at com.ibm.ws390.xmem.proxy.XMemProxySRCppUtilities.httpinvoke(XMemProxySRCppUtilities.java:150)
     at com.ibm.ws390.orb.ServerRegionBridge.httpinvoke(ServerRegionBridge.java:213)
     at com.ibm.ws390.orb.CommonBridge.getAndProcessWork(CommonBridge.java:683)
     at com.ibm.ws390.orb.CommonBridge.runApplicationThread(CommonBridge.java:614)
     at com.ibm.ws.util.ThreadPool$ZOSWorker.run(ThreadPool.java:2127)
 </Details>
     </Throwable>
     <Request>
         <Session created=\"true\">
             <SessionInfo valid=\"true\" source=\"COOKIE\" id=\"###\" creationTime=\"2018-08-02T07:41:34.359-04:00\" lastAccessedTime=\"2018-08-02T07:41:34.680-04:00\" maxInactiveInterval=\"1800\" new=\"false\"/>
         </Session>
         <Parameters/>
         <Attributes>
             <ApplicationScope>
                 <Attribute name=\"com.ibm.websphere.servlet.application.classpath\" value=\"*VALUE REMOVED*\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.websphere.servlet.application.host\" value=\"###\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.websphere.servlet.application.name\" value=\"###\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.websphere.servlet.enterprise.application.name\" value=\"###\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.websphere.servlet.event.ServletContextEventSource\" value=\"com.ibm.ws.webcontainer.webapp.WebAppEventSource@a0f4f3f7\" classType=\"com.ibm.ws.webcontainer.webapp.WebAppEventSource\"/>
                 <Attribute name=\"com.ibm.ws.jsf.JSF_IMPL_ENABLED\" value=\"None\" classType=\"com.ibm.ws.jsf.JSFConstants$JSFImplEnabled\"/>
                 <Attribute name=\"com.ibm.ws.jsp.servletContextListeners.contextInitialized\" value=\"true\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.ws.webcontainer.config.WelcomeFileList\" value=\"\[index.html, index.htm, index.jsp\]\" classType=\"java.util.ArrayList\"/>
                 <Attribute name=\"com.ibm.ws.webcontainer.webAppPmiListener\" value=\"com.ibm.ws.webcontainer.WebAppPmiListener@439c3f08\" classType=\"com.ibm.ws.webcontainer.WebAppPmiListener\"/>
                 <Attribute name=\"com.ibm.wsspi.portletcontainer\" value=\"com.ibm.ws.portletcontainer.pcinvoker.PortletContainerImpl@2a527a26\" classType=\"com.ibm.ws.portletcontainer.pcinvoker.PortletContainerImpl\"/>
                 <Attribute name=\"CONFIGURATION_CONTEXT\" value=\"org.apache.axis2.context.ConfigurationContext@c9df7dbd\" classType=\"org.apache.axis2.context.ConfigurationContext\"/>
                 <Attribute name=\"javax.faces.validator.beanValidator.ValidatorFactory\" value=\"com.ibm.ws.beanvalidation.WASProxyValidatorFactory@1011fd1c\" classType=\"com.ibm.ws.beanvalidation.WASProxyValidatorFactory\"/>
                 <Attribute name=\"javax.servlet.context.tempdir\" value=\"###\" classType=\"java.io.File\"/>
                 <Attribute name=\"JCDI_ENABLED\" value=\"false\" classType=\"java.lang.Boolean\"/>
                 <Attribute name=\"org.apache.jasper.runtime.JspApplicationContextImpl\" value=\"org.apache.jasper.runtime.JspApplicationContextImpl@4ebe686b\" classType=\"org.apache.jasper.runtime.JspApplicationContextImpl\"/>
                 <Attribute name=\"org.apache.wink.server.internal.RequestProcessor\" value=\"org.apache.wink.server.internal.RequestProcessor@fa506c7a\" classType=\"org.apache.wink.server.internal.RequestProcessor\"/>
                 <Attribute name=\"org.springframework.web.context.support.ServletContextScope\" value=\"org.springframework.web.context.support.ServletContextScope@b160b6b9\" classType=\"org.springframework.web.context.support.ServletContextScope\"/>
                 <Attribute name=\"org.springframework.web.context.WebApplicationContext.ROOT\" value=\"Root WebApplicationContext: startup date \[Thu Aug 02 03:20:04 EDT 2018\]; root of context hierarchy\" classType=\"org.springframework.web.context.support.XmlWebApplicationContext\"/>
                 <Attribute name=\"org.springframework.web.servlet.FrameworkServlet.CONTEXT.Spring\" value=\"WebApplicationContext for namespace 'Spring-servlet': startup date \[Thu Aug 02 03:20:26 EDT 2018\]; parent: Root WebApplicationContext\" classType=\"org.springframework.web.context.support.AnnotationConfigWebApplicationContext\"/>
                 <Attribute name=\"###\" value=\"org.apache.wink.server.internal.lifecycle.metadata.EJBMetadata@c7f8ea3b\" classType=\"org.apache.wink.server.internal.lifecycle.metadata.EJBMetadata\"/>
             </ApplicationScope>
             <SessionScope/>
             <RequestScope>
                 <Attribute name=\"com.aoins.errorhandler.ErrorHandlerAttribute.EH_TIME\" value=\"August 02, 2018 07:41:34 AM\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.aoins.errorhandler.ErrorHandlerAttribute.EH_UUID\" value=\"###\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.servlet.engine.webapp.dispatch_nested\" value=\"true\" classType=\"java.lang.String\"/>
                 <Attribute name=\"com.ibm.servlet.engine.webapp.dispatch_type\" value=\"forward\" classType=\"java.lang.String\"/>
                 <Attribute name=\"ErrorReport\" value=\"com.ibm.ws.webcontainer.webapp.WebAppErrorReport: java.lang.IllegalStateException\" classType=\"com.ibm.ws.webcontainer.webapp.WebAppErrorReport\"/>
                 <Attribute name=\"javax.servlet.error.exception\" value=\"java.lang.IllegalStateException\" classType=\"java.lang.IllegalStateException\"/>
                 <Attribute name=\"javax.servlet.error.exception_type\" value=\"class java.lang.IllegalStateException\" classType=\"java.lang.Class\"/>
                 <Attribute name=\"javax.servlet.error.message\" value=\"java.lang.IllegalStateException\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.error.request_uri\" value=\"/V5/Auto/static/css/vehicleLookup.css\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.error.servlet_name\" value=\"Static File wrapper\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.error.status_code\" value=\"500\" classType=\"java.lang.Integer\"/>
                 <Attribute name=\"javax.servlet.forward.context_path\" value=\"###\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.forward.path_info\" value=\"###\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.forward.request_uri\" value=\"/V5/Auto/static/css/vehicleLookup.css\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.forward.servlet_path\" value=\"\" classType=\"java.lang.String\"/>
                 <Attribute name=\"javax.servlet.jsp.jspException\" value=\"com.ibm.ws.webcontainer.webapp.WebAppErrorReport: java.lang.IllegalStateException\" classType=\"com.ibm.ws.webcontainer.webapp.WebAppErrorReport\"/>
             </RequestScope>
         </Attributes>
         <Cookies>
             ###
         </Cookies>
         <Headers>
             <Header name=\"$WSIS\">
                 <Value>false</Value>
             </Header>
             <Header name=\"$WSPR\">
                 <Value>HTTP/1.1</Value>
             </Header>
             <Header name=\"$WSRA\">
                 <Value>###</Value>
             </Header>
             <Header name=\"$WSRH\">
                 <Value>###</Value>
             </Header>
             <Header name=\"$WSSC\">
                 <Value>http</Value>
             </Header>
             <Header name=\"$WSSN\">
                 <Value>www.###.com</Value>
             </Header>
             <Header name=\"$WSSP\">
                 <Value>80</Value>
             </Header>
             <Header name=\"$WSXCTCONTEXTID\">
                 <Value>###</Value>
             </Header>
             <Header name=\"_WS_HAPRT_WLMVERSION\">
                 <Value>-1</Value>
             </Header>
             <Header name=\"Accept\">
                 <Value>text/css, */*</Value>
             </Header>
             <Header name=\"Accept-Language\">
                 <Value>en-US</Value>
             </Header>
             <Header name=\"Cookie\">
                 <Value>*VALUE REMOVED*</Value>
             </Header>
             <Header name=\"DNT\">
                 <Value>1</Value>
             </Header>
             <Header name=\"Host\">
                 <Value>###</Value>
             </Header>
             <Header name=\"If-Modified-Since\">
                 <Value>Mon, 30 Jul 2018 17:07:34 GMT</Value>
             </Header>
             <Header name=\"Referer\">
                 <Value>https://www.google.com</Value>
             </Header>
             <Header name=\"Surrogate-Capability\">
                 <Value>WS-ESI=\"ESI/1.0+\"</Value>
             </Header>
             <Header name=\"User-Agent\">
                 <Value>Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko</Value>
             </Header>
             <Header name=\"clientip\">
                 <Value>###</Value>
             </Header>
             <Header name=\"ssodbg\">
                 <Value>3</Value>
             </Header>
             <Header name=\"TLSLog\">
                 <Value>TLSv1.2</Value>
             </Header>
             <Header name=\"Username\">
                 <Value>###</Value>
             </Header>
             <Header name=\"X-Forwarded-Proto\">
                 <Value>https</Value>
             </Header>
         </Headers>
         <OriginalRequestedURI>###</OriginalRequestedURI>
         <RequestedURI>###</RequestedURI>
         <OriginalQueryString>null</OriginalQueryString>
         <QueryString>null</QueryString>
         <ServletName>Static File wrapper</ServletName>
         <StatusCode>500</StatusCode>
         <CharacterEncoding>null</CharacterEncoding>
         <ContentLength>-1</ContentLength>
         <ContentType>null</ContentType>
         <Secure>true</Secure>
         <Method>GET</Method>
         <AuthorizationType>BASIC</AuthorizationType>
         <PathInfo>null</PathInfo>
         <PathTranslated>null</PathTranslated>
         <Client host=\"###\" address=\"###\" remoteUser=\"###\" port=\"###\">
             <Locale language=\"en\" country=\"US\"/>
         </Client>
         <Server host=\"###\" port=\"###\"/>
         <WASServer serverName=\"###\" jobNumber=\"###\"/>
         <LocalInterface host=\"###\" address=\"###0\" port=\"###\"/>
     </Request>
 </WebError>" | spath
0 Karma

kmaron
Motivator

I never knew spath could do that! That will work! If you can convert this comment to an answer I will accept it! Thank you!

0 Karma

soumyasaha25
Contributor

can you try defining it in props and transforms

props.conf

 [yourSourceType]
 NO_BINARY_CHECK = 1
 TIME_FORMAT = %a %b %d %H:%M:%S %T %Y
 pulldown_type = 1
 REPORT-xmlkv = xmlkv-alternative

transforms.conf

 [xmlkv-alternative]
 REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
 FORMAT = $1::$2
0 Karma

kmaron
Motivator

No. I don't have access to those. It has to be in the SPL.

0 Karma

soumyasaha25
Contributor

try this

your search | rex field=_raw ".*?\<Header\sname\=\"\$(?P<header_name>.*?)\"\>\s+\<Value\>(?P<value>.*?)\<\/Value\>"
0 Karma

kmaron
Motivator

that's essentially what I have. it gets me one header name and one value.

0 Karma

jodyfsu
Path Finder

This should work

| rex "^.[^\<]+\<Header\sname\=\"(?<HEAD1>.[^\"]+)\"\>\n.[^\<]+\<Value\>(?<HEAD1_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD2>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD2_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD3>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD3_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD4>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD4_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD5>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD5_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD6>.[^\"]+)\"\>\s.[^\<]+\<Value\>(?<HEAD6_VAL>.[^\<]+)\<\/Value\>\s.[^\<]+\<\/Header\>\s.[^\<]+\<Header\sname\=\"(?<HEAD7>.[^\>]+)\>\s.[^\<]+\<Value\>(?<HEAD7_VAL>.[^\<]+)\<"
| table HEAD1 HEAD1_VAL HEAD2 HEAD2_VAL HEAD3 HEAD3_VAL HEAD4 HEAD4_VAL HEAD5 HEAD5_VAL HEAD6 HEAD6_VAL HEAD7 HEAD7_VAL

Let us know if you are looking for something different.

0 Karma

kmaron
Motivator

I can make that work but I have an unknown number of header values. I've seen as many as 39 on different events.

0 Karma

jodyfsu
Path Finder

Hmm.. You could add the additional HEAD* HEAD*_VAL as needed, it will only get populated if there is data.

0 Karma

kmaron
Motivator

Thanks. I'll go with that for now until I find a better solution.

0 Karma

jodyfsu
Path Finder

Is there no other info in the results? It will be easier if we have more at either end of the result.

0 Karma

kmaron
Motivator

the section in question starts and ends with < Headers > and < /Headers > but everything else before and after those tags varies.

0 Karma

kmaron
Motivator

the spaces aren't really there. it's the only way it would work in the comment.

0 Karma

jodyfsu
Path Finder

Never mind, I have something. I should have it completed shortly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...