Splunk Search
Highlighted

Monitoring XML files in directory, why isn't splunk giving expected result?

Explorer

Hi,
I am trying to monitor a directory which contains multiple XML file which may contains exactly same contains or different.
I have selected source type automatic. After indexing data it created total number of event as the number of files in directory. i.e. splunk considering each file as one event.
My XML file look like:

  <Details>
       <Location>
         <Region>APAC</Region>
         <Country>India</Country>
         <State>Karnataka</State>        
         <City>Bangalore</City>
      </Location>        
 </Details>    
 <TargetMachines>
      <TargetMachine Name="win7a2" IPAddress="10.167.177.30" Status="Running" >
           <Tasks>
                   <Task TaskSer="137" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)"  Status="Fail">
                       <Steps>
                              <Step ID="f2b56177-" Name="ARIA PM" Status="Pass" StepSer="4738" />
                              <Step ID="46b4db06" Name="ARIA RO" Status="Fail" StepSer="4739">
                              <Step ID="3de785d5-c6" Name="Deluxe Reports" Status="NotStarted" StepSer="4742" />
                               ...........
                               ...........
                        <Steps>
                   <Task>
              <Tasks>
   </TargetMachine>
   <TargetMachine Name="win7a3" IPAddress="10.167.177.31" Status="NoCommunication" >
           <Tasks>
                   <Task TaskSer="138" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)"  Status="Fail">
                       <Steps>
                              <Step ID="f2b56174-" Name="ARIA PM" Status="Pass" StepSer="4656" />
                              <Step ID="46b4db03" Name="ARIA RO" Status="Fail" StepSer="4657">
                              <Step ID="3de785d5" Name="Deluxe Reports" Status="NotStarted" StepSer="4658" />
                               ..................
                              ..................
                        <Steps>
                   <Task>
              <Tasks>
   </TargetMachine>

</TargetMachines>
And so on...

Now
Splunk searches I want to achieve:
1.Count of Unique IPAddress by Region/State/City
2. count of Unique IPAddress by Status ( Here Status of <TargetMachine> tag) in a specific Region( for ex- APAC)

I have tried following query for question 1.

source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12"
 |spath output="Region" path="RSDReport.SiteDetail.Location.Region"
 | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" |stats dc(IPAddress) by Region

It is giving correct output.

I did same way for question 2.

source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12"|spath 
|spath output="Region" path="RSDReport.SiteDetail.Location.Region" 
|search Region ="AMEA" 
| spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" 
|stats dc(IPAddress) by  RSDReport.TargetMachines.TargetMachine{@Status}

But it is not giving expected result.

Please help .

Regards,
Aditya

0 Karma
Highlighted

Re: Monitoring XML files in directory, why isn't splunk giving expected result?

Esteemed Legend

You have two | spath in a row. So fix that first:

 source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12" | spath output="Region" path="RSDReport.SiteDetail.Location.Region" | search Region ="AMEA" | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" | stats dc(IPAddress) by RSDReport.TargetMachines.TargetMachine{@Status}

If it still doesn't work, your curly-braces may be being misinterpreted (it would definitely help if you gave us any error text that is resulting); try this:

 source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12" | spath output="Region" path="RSDReport.SiteDetail.Location.Region" | search Region ="AMEA" | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" | stats dc(IPAddress) by $RSDReport.TargetMachines.TargetMachine{@Status}$

Or maybe this:

 source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12" | spath output="Region" path="RSDReport.SiteDetail.Location.Region" | search Region ="AMEA" | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" | stats dc(IPAddress) by RSDReport.TargetMachines.TargetMachine*Status*
0 Karma
Highlighted

Re: Monitoring XML files in directory, why isn't splunk giving expected result?

Explorer

After using above all the query, It is giving No Result Found .
But when i add one extra spath after host, it gives some result but not correct. I mean, as i written above.

0 Karma
Highlighted

Re: Monitoring XML files in directory, why isn't splunk giving expected result?

Esteemed Legend

The general approach in these situations is to strip off everything after the last pipe ("|") and keep doing this until you get data that makes sense. Then add them back in going the other way one-by-one and figure out what you did wrong.

0 Karma