@payal23, KV_MODE=xml extracts all the field from XML data during search so that you do not have to go after all the field extractions. Similarly with spath command on _raw all xml nodes will be extracted automatically. You can choose the fields you are interested in.

Since your single xml has multiple <VfNetworkSettings> you would be working with multiple-values. Also some of the <NewValue> nodes in <VfNetworkSettings> are null. Which means multiple values might not get mapped one to one. For which I have populated null values in the raw event.

| eval _raw=replace(_raw,"\<NewValue\/\>","<NewValue>null</NewValue>")

As far as xpath is concerned I notice that the documented feature of the command does not seem to be working as expected. The following works | xpath outfield=NewValue "//SiebelMessage/ListOfVfNetworkSettings/VfNetworkSettings/NewValue" but this one does not | xpath outfield=NewValue "//SiebelMessage/ListOfVfNetworkSettings/VfNetworkSettings[NetworkSetting=\"Barred\"]/NewValue"

| makeresults 
| eval _raw="<SiebelMessage TransactionName=\"A\" IntObjectName=\"B\" IntObjectFormat=\"C\">
    <ListOfVfNetworkSettings>
        <VfNetworkSettings>
            <CurrentValue>Unbarred</CurrentValue>
            <NetworkSetting>Administration Bar</NetworkSetting>
            <Type>Barring</Type>
            <IMSI>123</IMSI>
            <MSISDN>abcd</MSISDN>
            <SecondarySubs>N</SecondarySubs>
            <NeServiceName>ANHL|</NeServiceName>
            <NewValue>Barred</NewValue>
            <Attribute>Status</Attribute>
            <ServiceProvider>AU</ServiceProvider>
        </VfNetworkSettings>
        <VfNetworkSettings>
            <CurrentValue>Unbarred</CurrentValue>
            <NetworkSetting>IDD Bar</NetworkSetting>
            <Type>Barring</Type>
            <IMSI>123</IMSI>
            <MSISDN>abcd</MSISDN>
            <SecondarySubs>N</SecondarySubs>
            <NeServiceName>ANHL|</NeServiceName>
            <NewValue/>
            <Attribute>Status</Attribute>
            <ServiceProvider>AU</ServiceProvider>
        </VfNetworkSettings>
        <VfNetworkSettings>
            <CurrentValue>Unbarred</CurrentValue>
            <NetworkSetting>Incoming Calls</NetworkSetting>
            <Type>Barring</Type>
            <IMSI>123</IMSI>
            <MSISDN>abcd</MSISDN>
            <SecondarySubs>N</SecondarySubs>
            <NeServiceName>ANHL|</NeServiceName>
            <NewValue/>
            <Attribute>Status</Attribute>
            <ServiceProvider>AU</ServiceProvider>
        </VfNetworkSettings>
        <VfNetworkSettings>
            <CurrentValue>Unbarred</CurrentValue>
            <NetworkSetting>International Roaming Bar</NetworkSetting>
            <Type>Barring</Type>
            <IMSI>123</IMSI>
            <MSISDN>abcd</MSISDN>
            <SecondarySubs>N</SecondarySubs>
            <NeServiceName>ANHL|</NeServiceName>
            <NewValue/>
            <Attribute>Status</Attribute>
            <ServiceProvider>AU</ServiceProvider>
        </VfNetworkSettings>
    </ListOfVfNetworkSettings>
</SiebelMessage>" 
| eval _raw=replace(_raw,"\<NewValue\/\>","<NewValue>null</NewValue>") 
| xpath outfield=NewValue "//SiebelMessage/ListOfVfNetworkSettings/VfNetworkSettings[NetworkSetting=\"Barred\"]/NewValue" field=_raw

PS: Also noticed another issue with xpath command where extracting two fields in the same search where both fields are multi-valued then first field becomes single value instead of multi-values.

| xpath outfield=NewValue "//SiebelMessage/ListOfVfNetworkSettings/VfNetworkSettings/NewValue" 
| xpath outfield=NetworkSetting "//SiebelMessage/ListOfVfNetworkSettings/VfNetworkSettings/NetworkSetting" 

1. Try my solution with spath from my previous answer and confirm.
2. Add BUG tag to your question.
3. If you have valid Splunk Entitlement please reach out to Splunk Support with the issue.

PS: On a different note, please add comment to specific thread rather than posting a new Answer 🙂

🙂

@niketnilay
I tried with spath.. but I am not sure why it is not retrieving any results. 😞

|spath output=NewValue path=SiebelMessage.ListOfVfNetworkSettings.VfNetworkSettings.NewValue|table NewValue

@payal23, if my run anywhere example with makeresults is working then just adding | spath should extract all the fields. If it is not doing so you will need to confirm whether your individual event logged in Splunk is xml or does it have any text prefixed/suffixed to it? First you would need to strip out any content apart from xml from the raw data for spath to work. Please check data and event.

PS: following worked for me with makeresults and eval instead of <YourBaseSearch>

<YourBaseSearch>
| eval _raw=replace(_raw,"\<NewValue\/\>","<NewValue>null</NewValue>")
| spath output=NewValue path=SiebelMessage.ListOfVfNetworkSettings.VfNetworkSettings.NewValue
| spath output=NetworkSetting path=SiebelMessage.ListOfVfNetworkSettings.VfNetworkSettings.NetworkSetting

@niketnilay Yes.. makeresults query is working fine.

And also the event is not purely XML.. it has few lines before XML. If i want to strip out the data have to create a new sourcetype and filter the events to get XML

.## 18 Mar 2018 11:10:07 [INFO] BusinessIdentifier : 123 **** MessageIdentifier : bc2 **** InterfaceName : UpdateNetworkSettings **** ServiceLayerName : CRMServiceMgmtCVS **** ServiceLayerOperation : VF Update Network Settings **** ServiceLayerPipeline : requestPipeline ErrorCode : **** ConsumerErrorMessage : **** FusionErrorCode : **** FusionErrorMessage : **** FaultingServiceErrorCode : **** FaultingServiceErrorMessage :
<ListOfVfNetworkSettings>.. rest xml

With the help of regex or anything else can we extract the same? 😞

@payal23 try the following rex to extract xml data from your raw events as first step.

PS: As per the xml sample data shared initially the root node should be <SiebelMessage not <ListOfVfNetworkSettings. Since Regular Expression is based on pattern match, the rex command will work only with correct pattern based on your actual event. I have created Regular Expression based on the following to be the pattern: FaultingServiceErrorMessage : <SiebelMessage. Please correct if the pattern is different.

(?<ms>) has been added to rex command to make dot (.) to match new line character as well in case xml has new line characters. Other option would be to remove new line character \n\r from _raw data before applying rex.

The rex pattern ends at <\/SiebelMessage> to get xml data as _raw.

<YourBaseSearch>
| rex "(?ms)FaultingServiceErrorMessage : (?<_raw>\<SiebelMessage.*\<\/SiebelMessage\>)"
| eval _raw=replace(_raw,"\<NewValue\/\>","<NewValue>null</NewValue>")
| spath
| rename SiebelMessage.ListOfVfNetworkSettings.VfNetworkSettings.NewValue as NewValue SiebelMessage.ListOfVfNetworkSettings.VfNetworkSettings.NetworkSetting as NetworkSetting
| stats count by NewValue NetworkSetting
| search NewValue="Barred" AND NetworkSetting="International Roaming Bar"

@niketnilay Regex is not working.

Is this regex working on _raw events.. I am not that good in regex.


| rex "(?ms)FaultingServiceErrorMessage : (?<_raw>\)"|table _raw

When I do this it is not filtering _raw logs.

Following is the link to regex I have tested with the sample data provided on regex101

Like I have mentioned before, regular expressions are heavily based on pattern in the text data. You should at least check the raw sample event whether it matches the pattern of data you have or not.

@niketnilay yayyyyy...its working finally!!!

Thankyou so much 🙂

|rex "FaultingServiceErrorMessage : [\n]+(?<_raw>\<SiebelMessage.*\<\/SiebelMessage\>)"

@payal23 glad you found a solution working for you.

Seems like you accepted your own answer instead of mine. You can either accept my answer or up vote the comments that helped 🙂