Re: how to retrieve the results in splunk from API

splunk6 · ‎11-12-2024

2024-11-12 12:12:28.000,REQUEST="{"body":"<n1:Request xmlns:ESILib=\"http:/abcs/v1\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:n1=\"http://www.shaw.ca/esi/schema/product/inventoryreservation_create/v1\" xsi:schemaLocation=\"http://www.shaw.ca/esi/schema/product/inventoryreservation_create/v1 FES_InventoryReservation_create.xsd\"><n1:inventoryReservationCreateRequest><n1:brand>xyz</n1:brand><n1:channel>ABC</n1:channel><n1:bannerID>8669</n1:bannerID><n1:location>WD1234</n1:location><n1:genericLogicalResources><n1:genericLogicalResource><ESILib:skuNumber>194253408031</ESILib:skuNumber><ESILib:extendedProperties><ESILib:extendedProperty><ESILib:name>ReserveQty</ESILib:name><ESILib:values><ESILib:item>1</ESILib:item></ESILib:values></ESILib:extendedProperty></ESILib:extendedProperties></n1:genericLogicalResource></n1:genericLogicalResources></n1:inventoryReservationCreateRequest></n1:Request>

how to retrieve the banner ID and location from the above using splunk query.

index="abc"  sourcetype="oracle:transactionlog" OPERATION ="/service/v1/inventory/reservation"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
|spath input=REQUEST
|spath input=REQUEST output=Bannerid path=body.n1:Request{}.n1:bannerID
|table Bannerid

I used the above query but it didnot yeild any results

PickleRick · ‎11-12-2024

I write it way too often on this forum - make your life easier, fix your data!

At this point, even assuming that your copy-pasted sample got truncated and your real data is properly closed, you have

- XML structure

- as a string field in json

- prepended by some more or less structured plain-text header.

Do you have any other plain text data there? I suppose not. So you could just parse the timestamp and then cut the header. This can be done with a simple SEDCMD. With the json part it will be more difficult because it requires de-escaping some characters. And if you have more data in that json, "extracting" the xml part is not really a feasible option.

But it might be worth giving it a try.

splunk6 · ‎11-12-2024

I dont have any plain text data. All the data are feeded as REquest and response in splunk from which i need to retrieve bannerID and location codes. Could you please help me how to retrive that in splunk

ITWhisperer · ‎11-12-2024

Your sample event does not include "RESPONSE" so the rex will not be able to extract the REQUEST field

splunk6 · ‎11-12-2024

I do have a RESPONSE field as well in the API
RESPONSE="{"body":"<?xml version=\"1.0\" encoding=\"UTF-8\"?><fes:Response xmlns:fes=\"http://www.abc/product/inventoryreservation_create/v1\"><fes:inventoryReservationCreateResponse><fes:reservationId>fd19244445edb18</fes:reservationId><fes:requestStatus>Success</fes:requestStatus><fes:requestState>Order Reserved</fes:requestState></fes:inventoryReservationCreateResponse></fes:Response>","headers":{"content-type":"text/xml;charset=utf-8","accept":"application/xml,application/fastinfoset","server":"Jetty(9.4.27.v20200227)","uritemplate":"/service/v1/inventory/reservation","operationname":"CREATE_RESERVATION","method":"POST","url":"http://192.123/service/v1/inventory/reservation","x_shaw_request_tracing":"location_id","singularityheader":"appId=60*ctrlguid=1730261321*acctguid=602406e5-b988-4764-be9d-e041209f6ed8*ts=1731413516129*btid=40467*snapenable=true*donotresolve=true*guid=a61228ec-2eed-4ec7-b2eb-1e0ebb10ad65*exitguid=1|3|17*unresolvedexitid=13486*cidfrom=649,{[UNRESOLVED][17715]},648,{[UNRESOLVED][18213]},689*etypeorder=HTTP,HTTP,HTTP,HTTP,HTTP*esubtype=HTTP,HTTP,HTTP,HTTP,HTTP*cidto={[UNRESOLVED][17715]},648,{[UNRESOLVED][18213]},689,{[UNRESOLVED][13486]}","asyncreplyfordestinaton":"Svc-REST.DIRECTFULFILLMENT.CreateInventoryReservation:PROCESS","x_shaw_service_orchestration_id":"Id-ebcc8a602f57c17646182490","environment":"prod","final_match_group":"/","x_shaw_onbehalfof_id":"CREATE","directfulfillment.reservationid":"fd19244445edb18","lg_header":"Interaction=IwDMcZ3MDAZ5okkgkwEJDMgK;Locus=uWm7UBiog5Kb3BmVyz1/dA==;Flow=4geEzEzItMPK3CMgkwEODMgK;Chain=IQDMcZ3MDAZ5okkgkwEJDMgK;UpstreamOpID=eMsPL0LlEOcPDTl5JMfY6Q==;CallerAddress=tossbprd1app03.fcc.bss.globalivewireless.local;","content-length":"380"}}",

ITWhisperer · ‎11-12-2024

This event doesn't appear to have a REQUEST. Splunk SPL works on a pipeline of events, effectively processing each event one at a time. Usually, with request and response log events, you need to find a way to correlate the response with the request.

splunk6 · ‎11-12-2024

Both the request and response are from the same API. Just that i could not use spath to specify the path of bannerid and location code to get those values. Please help

ITWhisperer · ‎11-12-2024

How do you know which response is related to which request?

splunk6 · ‎11-12-2024

With the above request and response can u telme how we can retrieve the bannerID and location using splunk query

ITWhisperer · ‎11-12-2024

How do you locate these within your events?

splunk6 · ‎11-12-2024

Also if there is a way to locate these events with the help of "rex" command also let me know so that i can use that as well

splunk6 · ‎11-12-2024

both the bannerID and location are inside <n1:request> tag which is inside body of the REQUEST

how to retrieve the results in splunk from API

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Join the Conversation