Re: How to write a basic SPLUNK query which return...

t964396 · ‎07-04-2017

Can you please help me on how to write a basic SPLUNK query which returns value A, B, C & D.

here are the sample XML tags screenshot attached

cmerriman · ‎07-04-2017

Try something like this:

|rex "one\>(?<one>\w+)|two\>(?<two>\w+)"|table one two

The regex should extract what is in the one and two nodes and put them in fields called one and two.

t964396 · ‎07-04-2017

Thanks!, I tried but still, it returns only A, B.. but not C, D & E, F.

cmisztur · ‎07-04-2017

wouldn't you want to use xpath or spath to deal with XML?

t964396 · ‎07-04-2017

I tried, but not sure on it. So I had written a query using rex as below, it returns only error code1 detail1 all the times.

(one = code , two = detail)

InterfaceResponse|
rex "\(?.{2,60})<\/msg:succes" | where success = "false" |
rex "\(?.{2,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "(?.{2,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
table MessageUUID success errorcode1 errorcode2 errorcode3 detail1 detail2 detail3

cmerriman · ‎07-05-2017

when you tried xpath, what did you try? |xpath outfield=one "//msg:XYS/msg:ONE"

t964396 · ‎07-04-2017

I tried as well, but not sure on it. here is the sample request, which I am trying to put it on a table (which results with error descp 1, 2 & 3). please advise.

cmerriman · ‎07-04-2017

You're trying to extract these into one field? Or what are you expecting as an output?

t964396 · ‎07-04-2017

trying to extract this output as a table

How to write a basic SPLUNK query which returns value A, B, C & D.

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor