Getting Data In

Search the data from a xml based log file based on the condition

rafimails
New Member

Hi,
I am trying to search and display the data from a xml based log file with the matching condition.
My XML is like below:

 <track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>

I used the below query to search for the track-item-number

host="" source="" |xpath outfield=track-item-number "//EnhancedEvent/master-list[track-type='07']/track-item-number"

The result should display track-item-number as 779771138490 when i use the condition where track-type=07 and track-exception-code=70

No results were displayed when i ran the above query. Could you please help me in this regard.

Regard
Rafi

Tags (1)
0 Karma

efavreau
Motivator

@rafimails Sometimes using xpath or spath isn't what's best for readability or easiest. Sometimes it is. I've found using regular expressions is sometimes quite similar in performance and easier for readability, which is what I'll show you below in a run anywhere example:

| makeresults 
| eval _raw="<track-exception-code>70</track-exception-code>,<track-item-number>779771138490</track-item-number>,<track-location-code>COKED</track-location-code>,<track-scan-time>0933</track-scan-time>,<track-type>07</track-type>"
| makemv _raw delim=","
| rex field=_raw "<track-exception-code>(?<track_exception_code>.+)<\/track-exception-code>"
| rex field=_raw "<track-item-number>(?<track_item_number>.+)</track-item-number>"
| rex field=_raw "<track-location-code>(?<track_location_code>.+)</track-location-code>"
| rex field=_raw "<track-scan-time>(?<track_scan_time>.+)<\/track-scan-time>"
| rex field=_raw "<track-type>(?<track_type>.+)<\/track-type>"

Now all your data is in fields that you can manipulate as you need. Cheers!

###

If this reply helps you, an upvote would be appreciated.
0 Karma

rafimails
New Member

this xml data in the logs are dynamic. I just want to search the data based on condition. Exmaple my sample log file name is sample.log host is abc and in the sample log lets say track-type is 7 and track-exceiption-code is 74 and track-item-number is 12345
I want to read this log file and display the track-item-number as 12345 when track-type=7 and track-exception-code is=74
the root elements for the xml file is Enhancementevent and masterlist

Sample xml file looks like below

12345
7
74

Search string:

host=abc source= sample.log

0 Karma

to4kawa
Ultra Champion
....
| spath

Hi, how about this

0 Karma

rafimails
New Member

can u give me the full query with spath?

0 Karma

to4kawa
Ultra Champion

sorry, now I can't touch splunk.
another way:

index=yourindex "<track-item-number>"
|rex "\<track-item-number\>(?<track_item_number>\d+)"

maybe works.

0 Karma

rafimails
New Member

not working

0 Karma

rafimails
New Member

index name can be any? if not where i can see the indexname

0 Karma

to4kawa
Ultra Champion

sorry, you can't try spath?

_time   track-exception-code    track-item-number   track-location-code track-scan-time track-type
2020/01/23 20:25:50 70  779771138490    COKED   0933    07

The fields should be extracted neatly

0 Karma

rafimails
New Member

can you give me the search string for the above result?

0 Karma

rafimails
New Member

This is how my xml looks like

<master-list>
<track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>
0 Karma

to4kawa
Ultra Champion

Please add your query below.

| spath
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...