Splunk Search

How to write a basic SPLUNK query which returns value A, B, C & D.

t964396
New Member

Can you please help me on how to write a basic SPLUNK query which returns value A, B, C & D.

here are the sample XML tags screenshot attached

Tags (2)
0 Karma

cmerriman
Super Champion

Try something like this:

|rex "one\>(?<one>\w+)|two\>(?<two>\w+)"|table one two

The regex should extract what is in the one and two nodes and put them in fields called one and two.

0 Karma

t964396
New Member

Thanks!, I tried but still, it returns only A, B.. but not C, D & E, F.

0 Karma

cmisztur
Explorer

wouldn't you want to use xpath or spath to deal with XML?

t964396
New Member

I tried, but not sure on it. So I had written a query using rex as below, it returns only error code1 detail1 all the times.

(one = code , two = detail)

InterfaceResponse|
rex "\(?.{2,60})<\/msg:succes" | where success = "false" |
rex "\(?.{2,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "\(?.{10,60})<\/msg:cod" |
rex "(?.{2,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
rex "(?.{10,60})<\/msg:detai" |
table MessageUUID success errorcode1 errorcode2 errorcode3 detail1 detail2 detail3

0 Karma

cmerriman
Super Champion

when you tried xpath, what did you try? |xpath outfield=one "//msg:XYS/msg:ONE"

0 Karma

t964396
New Member

I tried as well, but not sure on it. here is the sample request, which I am trying to put it on a table (which results with error descp 1, 2 & 3). please advise.

0 Karma

cmerriman
Super Champion

You're trying to extract these into one field? Or what are you expecting as an output?

0 Karma

t964396
New Member

trying to extract this output as a table

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...