Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex expression to extract field from XML message

keeplearningbud
New Member
‎05-04-2017 04:28 PM

Hi..

I am trying to create a dashboard which extracts errorCode field from multiple xmls. Xpath for it would be different for different outputs. For ex: for createUser it is abc and for deleteUser it would be xyz. I need to have the xpath dynamic which extracts errorCode alone. I am trying with below expression which I know makes no sense. Please help.

|rex "(?.),(?.),(?.),(?.),(?s)(?.*)" | spath input=PAYLOAD output=fault path="*errorCode" |stats count(fault) as FaultCount by fault

The above is retrieving zero results.

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎05-04-2017 05:06 PM

If you have multiple different XML formats, but the same tag name, then you would probably be better off using a rex to extract it, rather than spath.

Try this - 

| rex  "\<errorCode\>\s+?(?<errorCode>\S[^<]+?)\s+?\<\/errorCode\>"

Over at regex101.com that one managed to pull the reallygoodstuff out of this one... 

<biggerstuff>  <stuff> we dont care about this  </stuff> <errorCode> reallygoodstuff </errorCode> </biggerstuff>

... and thereally good stuff out of this one ...

<biggerstuff> <morestuff> this is just extra </morestuff> <stuff> we dont care about this  </stuff> <errorCode> really good stuff </errorCode> <junk> and I really hate this junk </junk> </biggerstuff>
0 Karma
Reply

keeplearningbud
New Member
‎05-04-2017 05:17 PM

Sir. Thanks for the reply. But I am unable to apply this to splunk dash board. I am clueless about the mistake.

host="xyz*" index="abc" (",log_," ) | rex "(?.),(?.),(?.),(?.),(?s)(?.)" |rex fault=PAYLOAD "\s+?(?\S[^<]+?)\s+?<\/errorCode>"| stats count(fault) as FaultCount by fault

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...