Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use spath to extract all Step Names which have a status as Fail! from my XML data?

justgovind30198
Explorer
‎07-23-2015 04:22 AM

hi,

below is my XML file format

<?xml version="1.0" encoding="UTF-8"?>
<RSDReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Details>
    <Region>EMEA</Region>
    <FlocID>23872378</FlocID>
    <Location>
      <Country>America</Country>
      <State>California</State>
      <City>LA</City>
      <Hospital>GetCure</Hospital>
    </Location>
  </Details>
  <TargetMachines>
    <TargetMachine Name="Demo_Machine38" IPAddress="10.0.0.38" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="43" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine39" IPAddress="10.0.0.39" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="44" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
        <Task TaskSer="45" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine40" IPAddress="10.0.0.40" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="46" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine41" IPAddress="10.0.0.41" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="47" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine42" IPAddress="10.0.0.42" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="48" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine43" IPAddress="10.0.0.43" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="49" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine44" IPAddress="10.0.0.44" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="50" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine45" IPAddress="10.0.0.45" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="51" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine46" IPAddress="10.0.0.46" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="52" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Fail" StatusMessage="TimeLogger2: Failed to transfer files to agent, due to insufficient disk space" IsCancelled="false" IsDeleted="false">
          <Steps>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB299ED33" Name="TimeLogger1" Status="Pass" StepSer="3800" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290ED33" Name="TimeLogger2" Status="Fail" StepSer="3801">
              <Logs />
            </Step>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD33" Name="TimeLogger3" Status="NotStarted" StepSer="3802" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD34" Name="TimeLogger4" Status="NotStarted" StepSer="3803" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD35" Name="TimeLogger5" Status="NotStarted" StepSer="3804" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD36" Name="TimeLogger6" Status="NotStarted" StepSer="3805" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD37" Name="TimeLogger7" Status="NotStarted" StepSer="3806" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD38" Name="TimeLogger8" Status="NotStarted" StepSer="3807" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD39" Name="TimeLogger9" Status="NotStarted" StepSer="3808" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD40" Name="TimeLogger10" Status="NotStarted" StepSer="3810" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD41" Name="TimeLogger11" Status="NotStarted" StepSer="3811" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD42" Name="TimeLogger12" Status="NotStarted" StepSer="3812" />
          </Steps>
        </Task>
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine47" IPAddress="10.0.0.47" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="53" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
  </TargetMachines>
</RSDReport>

Now I want to make a chart of the step names which have their status as failed.

Note: I have made my complete file as one event and I am trying to use the search below, but no success!

...| spath output="branchRegion" path="Report.Details.Region" | search branchRegion="*"  | spath output="StepName" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Name}" | spath output="StepStatus" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Status}" | search StepStatus=Fail | stats count by StepName

Thanks in advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 10:26 AM

Start out small and add to your query until you find the source of the error. Begin with ...| spath output="branchRegion" path="RSDReport.Details.Region" and verify the results before adding the next part of the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 10:49 AM

I tried the same. but no success!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2015 08:18 AM

Which part of your query is failing?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 06:43 AM

I'm not very familiar with spath, but it seems the top level of the path argument should be 'RSDReport' rather than 'Report'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:03 AM

Its a spelling mistake while posting question I have used RSDReport only.

0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:00 AM

sorry for the wrong query actually it is RSDReport. only. but still its not working

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...