Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- XML with namespace Parsing
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
durgave
Engager
07-16-2020
04:26 PM
I have a filed with xml as below, can some onehelp me how can parse out ErrorDescription
"<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns1:TServiceResponse version="us-3.0.0.1029" xmlns:ns1="TServiceResponse">
<ns1:ServiceRequest>
<ns1:SID ns1:New="false">3b2509cd-da09-4a02-bce1-a1f5fe36b15f</ns1:SID>
<ns1:CID ns1:New="false">093a83d9-35fa-49f9-bcea-cccca3ae996c</ns1:CID>
<ns1:ID ns1:New="false">02625697-7fee-387e-e053-0100007fcd53</ns1:ID>
<ns1:CollectionDateGMT>2020-07-16 23:06:27.816</ns1:CollectionDateGMT>
<ns1:TID>4a42ca3bd5a8:02625697-7fee-387e-e053-0100007fcd53:a7a2d372-4db5-41a7-b4fa-37285302fea6:230726924</ns1:TID>
<ns1:FirmwareVersion>081120</ns1:FirmwareVersion>
<ns1:PN>WWWWREFE</ns1:PN>
<ns1:CollectionMethodType>Auto Collection</ns1:CollectionMethodType>
</ns1:ServiceRequest>
<ns1:ServiceError>
<ns1:ErrorCode>3.1.12.309</ns1:ErrorCode>
<ns1:ErrorDescription>DeviceType not supported.:DEVICE_TYPE_UPDATE_ERROR for TID</ns1:ErrorDescription>
</ns1:ServiceError>
</ns1:TServiceResponse>"your help is appreciated
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
durgave
Engager
07-16-2020
04:56 PM
I think I found the issue in my query, the filed is wrapped with quotes which I needed to remove.
|makeresults
| eval cs="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<ns1:TServiceResponse version=\"us-3.0.0.1029\" xmlns:ns1=\"TServiceResponse\">
<ns1:ServiceRequest>
<ns1:SID ns1:New=\"false\">3b2509cd-da09-4a02-bce1-a1f5fe36b15f</ns1:SID>
<ns1:CID ns1:New=\"false\">093a83d9-35fa-49f9-bcea-cccca3ae996c</ns1:CID>
<ns1:ID ns1:New=\"false\">02625697-7fee-387e-e053-0100007fcd53</ns1:ID>
<ns1:CollectionDateGMT>2020-07-16 23:06:27.816</ns1:CollectionDateGMT>
<ns1:TID>4a42ca3bd5a8:02625697-7fee-387e-e053-0100007fcd53:a7a2d372-4db5-41a7-b4fa-37285302fea6:230726924</ns1:TID>
<ns1:FirmwareVersion>081120</ns1:FirmwareVersion>
<ns1:PN>WWWWREFE</ns1:PN>
<ns1:CollectionMethodType>Auto Collection</ns1:CollectionMethodType>
</ns1:ServiceRequest>
<ns1:ServiceError>
<ns1:ErrorCode>3.1.12.309</ns1:ErrorCode>
<ns1:ErrorDescription>DeviceType not supported.:DEVICE_TYPE_UPDATE_ERROR for TID</ns1:ErrorDescription>
</ns1:ServiceError>
</ns1:TServiceResponse>"
| rex field=cs mode=sed "s/\"</</g"
| fields cs
| spath input=cs output=error_desc path=ns1:TServiceResponse.ns1:ServiceError.ns1:ErrorDescription
| table error_desc- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
durgave
Engager
07-16-2020
04:56 PM
I think I found the issue in my query, the filed is wrapped with quotes which I needed to remove.
|makeresults
| eval cs="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>
<ns1:TServiceResponse version=\"us-3.0.0.1029\" xmlns:ns1=\"TServiceResponse\">
<ns1:ServiceRequest>
<ns1:SID ns1:New=\"false\">3b2509cd-da09-4a02-bce1-a1f5fe36b15f</ns1:SID>
<ns1:CID ns1:New=\"false\">093a83d9-35fa-49f9-bcea-cccca3ae996c</ns1:CID>
<ns1:ID ns1:New=\"false\">02625697-7fee-387e-e053-0100007fcd53</ns1:ID>
<ns1:CollectionDateGMT>2020-07-16 23:06:27.816</ns1:CollectionDateGMT>
<ns1:TID>4a42ca3bd5a8:02625697-7fee-387e-e053-0100007fcd53:a7a2d372-4db5-41a7-b4fa-37285302fea6:230726924</ns1:TID>
<ns1:FirmwareVersion>081120</ns1:FirmwareVersion>
<ns1:PN>WWWWREFE</ns1:PN>
<ns1:CollectionMethodType>Auto Collection</ns1:CollectionMethodType>
</ns1:ServiceRequest>
<ns1:ServiceError>
<ns1:ErrorCode>3.1.12.309</ns1:ErrorCode>
<ns1:ErrorDescription>DeviceType not supported.:DEVICE_TYPE_UPDATE_ERROR for TID</ns1:ErrorDescription>
</ns1:ServiceError>
</ns1:TServiceResponse>"
| rex field=cs mode=sed "s/\"</</g"
| fields cs
| spath input=cs output=error_desc path=ns1:TServiceResponse.ns1:ServiceError.ns1:ErrorDescription
| table error_desc
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
