Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

rex expression to extract field from XML message

keeplearningbud
New Member
‎05-04-2017 04:28 PM

Hi..

I am trying to create a dashboard which extracts errorCode field from multiple xmls. Xpath for it would be different for different outputs. For ex: for createUser it is abc and for deleteUser it would be xyz. I need to have the xpath dynamic which extracts errorCode alone. I am trying with below expression which I know makes no sense. Please help.

|rex "(?.),(?.),(?.),(?.),(?s)(?.*)" | spath input=PAYLOAD output=fault path="*errorCode" |stats count(fault) as FaultCount by fault

The above is retrieving zero results.

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎05-04-2017 05:06 PM

If you have multiple different XML formats, but the same tag name, then you would probably be better off using a rex to extract it, rather than spath.

Try this - 

| rex  "\<errorCode\>\s+?(?<errorCode>\S[^<]+?)\s+?\<\/errorCode\>"

Over at regex101.com that one managed to pull the reallygoodstuff out of this one... 

<biggerstuff>  <stuff> we dont care about this  </stuff> <errorCode> reallygoodstuff </errorCode> </biggerstuff>

... and thereally good stuff out of this one ...

<biggerstuff> <morestuff> this is just extra </morestuff> <stuff> we dont care about this  </stuff> <errorCode> really good stuff </errorCode> <junk> and I really hate this junk </junk> </biggerstuff>
0 Karma
Reply

keeplearningbud
New Member
‎05-04-2017 05:17 PM

Sir. Thanks for the reply. But I am unable to apply this to splunk dash board. I am clueless about the mistake.

host="xyz*" index="abc" (",log_," ) | rex "(?.),(?.),(?.),(?.),(?s)(?.)" |rex fault=PAYLOAD "\s+?(?\S[^<]+?)\s+?<\/errorCode>"| stats count(fault) as FaultCount by fault

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...