Re: how to retrieve the results in splunk from API

splunk6 · ‎11-12-2024

2024-11-12 12:12:28.000,REQUEST="{"body":"<n1:Request xmlns:ESILib=\"http:/abcs/v1\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:n1=\"http://www.shaw.ca/esi/schema/product/inventoryreservation_create/v1\" xsi:schemaLocation=\"http://www.shaw.ca/esi/schema/product/inventoryreservation_create/v1 FES_InventoryReservation_create.xsd\"><n1:inventoryReservationCreateRequest><n1:brand>xyz</n1:brand><n1:channel>ABC</n1:channel><n1:bannerID>8669</n1:bannerID><n1:location>WD1234</n1:location><n1:genericLogicalResources><n1:genericLogicalResource><ESILib:skuNumber>194253408031</ESILib:skuNumber><ESILib:extendedProperties><ESILib:extendedProperty><ESILib:name>ReserveQty</ESILib:name><ESILib:values><ESILib:item>1</ESILib:item></ESILib:values></ESILib:extendedProperty></ESILib:extendedProperties></n1:genericLogicalResource></n1:genericLogicalResources></n1:inventoryReservationCreateRequest></n1:Request>

how to retrieve the banner ID and location from the above using splunk query.

index="abc"  sourcetype="oracle:transactionlog" OPERATION ="/service/v1/inventory/reservation"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
|spath input=REQUEST
|spath input=REQUEST output=Bannerid path=body.n1:Request{}.n1:bannerID
|table Bannerid

I used the above query but it didnot yeild any results

PickleRick · ‎11-12-2024

I write it way too often on this forum - make your life easier, fix your data!

At this point, even assuming that your copy-pasted sample got truncated and your real data is properly closed, you have

- XML structure

- as a string field in json

- prepended by some more or less structured plain-text header.

Do you have any other plain text data there? I suppose not. So you could just parse the timestamp and then cut the header. This can be done with a simple SEDCMD. With the json part it will be more difficult because it requires de-escaping some characters. And if you have more data in that json, "extracting" the xml part is not really a feasible option.

But it might be worth giving it a try.

splunk6 · ‎11-12-2024

I dont have any plain text data. All the data are feeded as REquest and response in splunk from which i need to retrieve bannerID and location codes. Could you please help me how to retrive that in splunk

ITWhisperer · ‎11-12-2024

Your sample event does not include "RESPONSE" so the rex will not be able to extract the REQUEST field

splunk6 · ‎11-12-2024

I do have a RESPONSE field as well in the API
RESPONSE="{"body":"<?xml version=\"1.0\" encoding=\"UTF-8\"?><fes:Response xmlns:fes=\"http://www.abc/product/inventoryreservation_create/v1\"><fes:inventoryReservationCreateResponse><fes:reservationId>fd19244445edb18</fes:reservationId><fes:requestStatus>Success</fes:requestStatus><fes:requestState>Order Reserved</fes:requestState></fes:inventoryReservationCreateResponse></fes:Response>","headers":{"content-type":"text/xml;charset=utf-8","accept":"application/xml,application/fastinfoset","server":"Jetty(9.4.27.v20200227)","uritemplate":"/service/v1/inventory/reservation","operationname":"CREATE_RESERVATION","method":"POST","url":"http://192.123/service/v1/inventory/reservation","x_shaw_request_tracing":"location_id","singularityheader":"appId=60*ctrlguid=1730261321*acctguid=602406e5-b988-4764-be9d-e041209f6ed8*ts=1731413516129*btid=40467*snapenable=true*donotresolve=true*guid=a61228ec-2eed-4ec7-b2eb-1e0ebb10ad65*exitguid=1|3|17*unresolvedexitid=13486*cidfrom=649,{[UNRESOLVED][17715]},648,{[UNRESOLVED][18213]},689*etypeorder=HTTP,HTTP,HTTP,HTTP,HTTP*esubtype=HTTP,HTTP,HTTP,HTTP,HTTP*cidto={[UNRESOLVED][17715]},648,{[UNRESOLVED][18213]},689,{[UNRESOLVED][13486]}","asyncreplyfordestinaton":"Svc-REST.DIRECTFULFILLMENT.CreateInventoryReservation:PROCESS","x_shaw_service_orchestration_id":"Id-ebcc8a602f57c17646182490","environment":"prod","final_match_group":"/","x_shaw_onbehalfof_id":"CREATE","directfulfillment.reservationid":"fd19244445edb18","lg_header":"Interaction=IwDMcZ3MDAZ5okkgkwEJDMgK;Locus=uWm7UBiog5Kb3BmVyz1/dA==;Flow=4geEzEzItMPK3CMgkwEODMgK;Chain=IQDMcZ3MDAZ5okkgkwEJDMgK;UpstreamOpID=eMsPL0LlEOcPDTl5JMfY6Q==;CallerAddress=tossbprd1app03.fcc.bss.globalivewireless.local;","content-length":"380"}}",

ITWhisperer · ‎11-12-2024

This event doesn't appear to have a REQUEST. Splunk SPL works on a pipeline of events, effectively processing each event one at a time. Usually, with request and response log events, you need to find a way to correlate the response with the request.

splunk6 · ‎11-12-2024

Both the request and response are from the same API. Just that i could not use spath to specify the path of bannerid and location code to get those values. Please help

ITWhisperer · ‎11-12-2024

How do you know which response is related to which request?

splunk6 · ‎11-12-2024

With the above request and response can u telme how we can retrieve the bannerID and location using splunk query

ITWhisperer · ‎11-12-2024

How do you locate these within your events?

splunk6 · ‎11-12-2024

Also if there is a way to locate these events with the help of "rex" command also let me know so that i can use that as well

splunk6 · ‎11-12-2024

both the bannerID and location are inside <n1:request> tag which is inside body of the REQUEST

how to retrieve the results in splunk from API

troubleshooting

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?