Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use spath to extract all Step Names which have a status as Fail! from my XML data?

justgovind30198
Explorer
‎07-23-2015 04:22 AM

hi,

below is my XML file format

<?xml version="1.0" encoding="UTF-8"?>
<RSDReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Details>
    <Region>EMEA</Region>
    <FlocID>23872378</FlocID>
    <Location>
      <Country>America</Country>
      <State>California</State>
      <City>LA</City>
      <Hospital>GetCure</Hospital>
    </Location>
  </Details>
  <TargetMachines>
    <TargetMachine Name="Demo_Machine38" IPAddress="10.0.0.38" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="43" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine39" IPAddress="10.0.0.39" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="44" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
        <Task TaskSer="45" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine40" IPAddress="10.0.0.40" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="46" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine41" IPAddress="10.0.0.41" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="47" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine42" IPAddress="10.0.0.42" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="48" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine43" IPAddress="10.0.0.43" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="49" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine44" IPAddress="10.0.0.44" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="50" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine45" IPAddress="10.0.0.45" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="51" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine46" IPAddress="10.0.0.46" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="52" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Fail" StatusMessage="TimeLogger2: Failed to transfer files to agent, due to insufficient disk space" IsCancelled="false" IsDeleted="false">
          <Steps>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB299ED33" Name="TimeLogger1" Status="Pass" StepSer="3800" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290ED33" Name="TimeLogger2" Status="Fail" StepSer="3801">
              <Logs />
            </Step>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD33" Name="TimeLogger3" Status="NotStarted" StepSer="3802" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD34" Name="TimeLogger4" Status="NotStarted" StepSer="3803" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD35" Name="TimeLogger5" Status="NotStarted" StepSer="3804" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD36" Name="TimeLogger6" Status="NotStarted" StepSer="3805" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD37" Name="TimeLogger7" Status="NotStarted" StepSer="3806" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD38" Name="TimeLogger8" Status="NotStarted" StepSer="3807" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD39" Name="TimeLogger9" Status="NotStarted" StepSer="3808" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD40" Name="TimeLogger10" Status="NotStarted" StepSer="3810" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD41" Name="TimeLogger11" Status="NotStarted" StepSer="3811" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD42" Name="TimeLogger12" Status="NotStarted" StepSer="3812" />
          </Steps>
        </Task>
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine47" IPAddress="10.0.0.47" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="53" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
  </TargetMachines>
</RSDReport>

Now I want to make a chart of the step names which have their status as failed.

Note: I have made my complete file as one event and I am trying to use the search below, but no success!

...| spath output="branchRegion" path="Report.Details.Region" | search branchRegion="*"  | spath output="StepName" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Name}" | spath output="StepStatus" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Status}" | search StepStatus=Fail | stats count by StepName

Thanks in advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 10:26 AM

Start out small and add to your query until you find the source of the error. Begin with ...| spath output="branchRegion" path="RSDReport.Details.Region" and verify the results before adding the next part of the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 10:49 AM

I tried the same. but no success!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2015 08:18 AM

Which part of your query is failing?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 06:43 AM

I'm not very familiar with spath, but it seems the top level of the path argument should be 'RSDReport' rather than 'Report'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:03 AM

Its a spelling mistake while posting question I have used RSDReport only.

0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:00 AM

sorry for the wrong query actually it is RSDReport. only. but still its not working

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...