Search xml data

Harshi1993 · ‎09-08-2021

I have logs in the format of json where message is the key and message contains the value mentioned below

message:

<ErrorMessage>E-delivery failed<ErrorMessage>

When i am searching like below in the splunk, able to search the events

index="*" source="*" "E-delivery failed"

If i want to display the count of E-delivery failed string, the results are not fetching as the value under message tag is xml.

Query used is:

index="*" source="*"
| eval type=case(like(message, "%E-delivery failed%"),"e delivery failed")|stats count as Results by type

With the above query not able to get any results. Please help me with the query.

Result should be:

type count

e delivery failed 10

ITWhisperer · ‎09-09-2021

Has the message field already been extracted, e.g. does this produce the expected results

index="*" source="*" | stats count by message

If not, either extract the field with spath for example, or use _raw in the like function

index="*" source="*"
| eval type=case(like(_raw, "%E-delivery failed%"),"e delivery failed")|stats count as Results by type

Harshi1993 · ‎09-09-2021

Can't we use message field directly in the case statement. Do we need to use the _raw field in the case statement?

ITWhisperer · ‎09-09-2021

Yes, you can if it has been extracted. I gave an example for the situation where it hadn't been extracted.

Join the Conversation