@niketnilay, I am not sure I understand what you are asking. A03811 is a file transfer that moves some blabla842.csv file to a different location. All the file transfers in our acceptance environment start with an A and all the corresponding ones in production start with a P. When a file transfer has occurred we log the status (either "success" or "failed"). I want to put the failed ones on a dashboard. Everything works fine, except that when I would move the app to production it would look for file transfer A03811 and find nothing. It needs to look for P03811 instead.
... View more
I am building our new dashboards and alerts in our Acceptance environment, later we will move the whole app to Production. The issue at the moment is that on Acceptance file transfers are named like A03811 and on Production this file transfer is P03811. I don't want to change all of the searches that need to differentiate between the environments after we deploy the app to Production so I am trying to find a way to check the environment in the search and change things accordingly.
What suggestion do you have to deal with this?
... View more
I would like to have a table of items, but getting this to work is not working out for me. I think because the raw event is slightly hard for me to process. This is a shortened version of my raw event:
EDIT: please note that the "& lt;" and "& gt;" markings below are actually without the space, but otherwise the forum would convert them.
[03/29/2017 15:39:00.115 CEST] BLABLA [nl.morenonsense]
<![CDATA[& lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?& gt;
& lt;SendCoolMsg xmlns="http://www.website.com"& gt;
& lt;CoolAMsg& gt;
& lt;?xml version="1.0" encoding="UTF-8"?& gt;
& lt;Items& gt;
& lt;Item1& gt;
& lt;information& gt;numbers and stuff& lt;/information& gt;
& lt;coolthings& gt;strings& lt;/coolthings& gt;
& lt;/Item1& gt;
& lt;Item2& gt;
& lt;information& gt;numbers2 and stuff2& lt;/information& gt;
& lt;coolthings& gt;strings2& lt;/coolthings& gt;
& lt;/Item2& gt;
& lt;/Items& gt;
& lt;/CoolAmsg& gt;
& lt;/SendCoolMsg& gt;
I'd like to end up with a table like this:
I can access the fields (like information ) using xmlkv but I haven't been able to get spath to find anything. I have tried using rex to first isolate the inner xml but it seems to only give back results if there is just a string and not any tag for some reason.
search | xmlkv | table _time, information will only give me the information of the first item, I need it to do something multivalued.
search | rex field=_raw "<informatie>(?<Inf>.*)</informatie>" max_match=0 | mvexpand Inf | table _time, Inf now we have the expanded multivaluedness. But the next step is to use the information in coolthings to filter. If it is strings2 the information shouldn't show up. And I don't know how to get there if I can't use the XML structure. Also the event usually has over 15000 characters (sometimes over 30000), if that is a limit somewhere.
... View more