I have a set of XML logs that were all consumed by Splunk at the same time. I believe I have the timestamps from the logs properly read in my search, and I am getting reasonable results for just reporting on some fields, but I want to be able to perform some math using 2 existing fields and I am running into some trouble.
Here is a sample log in XML format:
And here is a sample search I am trying:
index=* sourcetype=xml-too_small | xmlkv | spath output=total_records path=interface.rpc.response.statistics.database-requests.totals.records | eval time=tostring(cleared) | eval recspereq=total_records/search-requests | stats max(search-requests), max(total_records), max(success), max(exceptions), max(recsperreq) by time
The "spath" part is there because there are two tags and xmlkv only finds the second one. The timestamp is the one I want to use for "time" and while the formatting isn't perfect I couldn't seem to get that cleaned up either. I know it's not elegant, but it seems to work. My current issue is that I get no results at all for "recsperreq". In the stats all the fields under that column are blank. I would like that field to be the value of "totalrecords" (which is the XML field in the section) divided by the value of search-requests.
I'm sure I am missing something simple here but I can't for the life of me figure out what it is.
... View more