Hi,
I am trying to search and display the data from a xml based log file with the matching condition.
My XML is like below:
<track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>
I used the below query to search for the track-item-number
host="" source="" |xpath outfield=track-item-number "//EnhancedEvent/master-list[track-type='07']/track-item-number"
The result should display track-item-number as 779771138490 when i use the condition where track-type=07 and track-exception-code=70
No results were displayed when i ran the above query. Could you please help me in this regard.
Regard
Rafi
@rafimails Sometimes using xpath
or spath
isn't what's best for readability or easiest. Sometimes it is. I've found using regular expressions is sometimes quite similar in performance and easier for readability, which is what I'll show you below in a run anywhere example:
| makeresults
| eval _raw="<track-exception-code>70</track-exception-code>,<track-item-number>779771138490</track-item-number>,<track-location-code>COKED</track-location-code>,<track-scan-time>0933</track-scan-time>,<track-type>07</track-type>"
| makemv _raw delim=","
| rex field=_raw "<track-exception-code>(?<track_exception_code>.+)<\/track-exception-code>"
| rex field=_raw "<track-item-number>(?<track_item_number>.+)</track-item-number>"
| rex field=_raw "<track-location-code>(?<track_location_code>.+)</track-location-code>"
| rex field=_raw "<track-scan-time>(?<track_scan_time>.+)<\/track-scan-time>"
| rex field=_raw "<track-type>(?<track_type>.+)<\/track-type>"
Now all your data is in fields that you can manipulate as you need. Cheers!
this xml data in the logs are dynamic. I just want to search the data based on condition. Exmaple my sample log file name is sample.log host is abc and in the sample log lets say track-type is 7 and track-exceiption-code is 74 and track-item-number is 12345
I want to read this log file and display the track-item-number as 12345 when track-type=7 and track-exception-code is=74
the root elements for the xml file is Enhancementevent and masterlist
Sample xml file looks like below
12345
7
74
Search string:
host=abc source= sample.log
....
| spath
Hi, how about this
can u give me the full query with spath?
sorry, now I can't touch splunk.
another way:
index=yourindex "<track-item-number>"
|rex "\<track-item-number\>(?<track_item_number>\d+)"
maybe works.
not working
index name can be any? if not where i can see the indexname
sorry, you can't try spath
?
_time track-exception-code track-item-number track-location-code track-scan-time track-type
2020/01/23 20:25:50 70 779771138490 COKED 0933 07
The fields should be extracted neatly
can you give me the search string for the above result?
This is how my xml looks like
<master-list>
<track-exception-code>70</track-exception-code>
<track-item-number>779771138490</track-item-number>
<track-location-code>COKED</track-location-code>
<track-scan-time>0933</track-scan-time>
<track-type>07</track-type>
Please add your query below.
| spath