Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use spath to extract all Step Names which have a status as Fail! from my XML data?

justgovind30198
Explorer
‎07-23-2015 04:22 AM

hi,

below is my XML file format

<?xml version="1.0" encoding="UTF-8"?>
<RSDReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Details>
    <Region>EMEA</Region>
    <FlocID>23872378</FlocID>
    <Location>
      <Country>America</Country>
      <State>California</State>
      <City>LA</City>
      <Hospital>GetCure</Hospital>
    </Location>
  </Details>
  <TargetMachines>
    <TargetMachine Name="Demo_Machine38" IPAddress="10.0.0.38" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="43" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine39" IPAddress="10.0.0.39" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="44" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
        <Task TaskSer="45" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine40" IPAddress="10.0.0.40" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="46" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine41" IPAddress="10.0.0.41" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="47" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine42" IPAddress="10.0.0.42" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="48" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine43" IPAddress="10.0.0.43" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="49" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine44" IPAddress="10.0.0.44" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="50" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine45" IPAddress="10.0.0.45" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="51" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine46" IPAddress="10.0.0.46" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="52" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Fail" StatusMessage="TimeLogger2: Failed to transfer files to agent, due to insufficient disk space" IsCancelled="false" IsDeleted="false">
          <Steps>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB299ED33" Name="TimeLogger1" Status="Pass" StepSer="3800" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290ED33" Name="TimeLogger2" Status="Fail" StepSer="3801">
              <Logs />
            </Step>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD33" Name="TimeLogger3" Status="NotStarted" StepSer="3802" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD34" Name="TimeLogger4" Status="NotStarted" StepSer="3803" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD35" Name="TimeLogger5" Status="NotStarted" StepSer="3804" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD36" Name="TimeLogger6" Status="NotStarted" StepSer="3805" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD37" Name="TimeLogger7" Status="NotStarted" StepSer="3806" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD38" Name="TimeLogger8" Status="NotStarted" StepSer="3807" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD39" Name="TimeLogger9" Status="NotStarted" StepSer="3808" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD40" Name="TimeLogger10" Status="NotStarted" StepSer="3810" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD41" Name="TimeLogger11" Status="NotStarted" StepSer="3811" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD42" Name="TimeLogger12" Status="NotStarted" StepSer="3812" />
          </Steps>
        </Task>
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine47" IPAddress="10.0.0.47" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="53" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
  </TargetMachines>
</RSDReport>

Now I want to make a chart of the step names which have their status as failed.

Note: I have made my complete file as one event and I am trying to use the search below, but no success!

...| spath output="branchRegion" path="Report.Details.Region" | search branchRegion="*"  | spath output="StepName" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Name}" | spath output="StepStatus" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Status}" | search StepStatus=Fail | stats count by StepName

Thanks in advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 10:26 AM

Start out small and add to your query until you find the source of the error. Begin with ...| spath output="branchRegion" path="RSDReport.Details.Region" and verify the results before adding the next part of the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 10:49 AM

I tried the same. but no success!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2015 08:18 AM

Which part of your query is failing?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 06:43 AM

I'm not very familiar with spath, but it seems the top level of the path argument should be 'RSDReport' rather than 'Report'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:03 AM

Its a spelling mistake while posting question I have used RSDReport only.

0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:00 AM

sorry for the wrong query actually it is RSDReport. only. but still its not working

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...