Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

rex expression to extract field from XML message

keeplearningbud
New Member
‎05-04-2017 04:28 PM

Hi..

I am trying to create a dashboard which extracts errorCode field from multiple xmls. Xpath for it would be different for different outputs. For ex: for createUser it is abc and for deleteUser it would be xyz. I need to have the xpath dynamic which extracts errorCode alone. I am trying with below expression which I know makes no sense. Please help.

|rex "(?.),(?.),(?.),(?.),(?s)(?.*)" | spath input=PAYLOAD output=fault path="*errorCode" |stats count(fault) as FaultCount by fault

The above is retrieving zero results.

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎05-04-2017 05:06 PM

If you have multiple different XML formats, but the same tag name, then you would probably be better off using a rex to extract it, rather than spath.

Try this - 

| rex  "\<errorCode\>\s+?(?<errorCode>\S[^<]+?)\s+?\<\/errorCode\>"

Over at regex101.com that one managed to pull the reallygoodstuff out of this one... 

<biggerstuff>  <stuff> we dont care about this  </stuff> <errorCode> reallygoodstuff </errorCode> </biggerstuff>

... and thereally good stuff out of this one ...

<biggerstuff> <morestuff> this is just extra </morestuff> <stuff> we dont care about this  </stuff> <errorCode> really good stuff </errorCode> <junk> and I really hate this junk </junk> </biggerstuff>
0 Karma
Reply

keeplearningbud
New Member
‎05-04-2017 05:17 PM

Sir. Thanks for the reply. But I am unable to apply this to splunk dash board. I am clueless about the mistake.

host="xyz*" index="abc" (",log_," ) | rex "(?.),(?.),(?.),(?.),(?s)(?.)" |rex fault=PAYLOAD "\s+?(?\S[^<]+?)\s+?<\/errorCode>"| stats count(fault) as FaultCount by fault

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...