Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to append XML from subsearch

helius
Path Finder
‎12-10-2014 11:01 AM

I'm trying to append xmlkv results to my original search string. Here is what I've tried, and what is not working.

index=content_eng source="dbmon-tail://kemgr-a1p/Jobs General" | eval JobID=id | eval XML_SRC=("/opt/elemental_se/web/log/*/job_"+JobID+"/*_emecmd.xml") | convert timeformat="%H%M%S" mktime(completed_at) mktime(started_at) | fieldformat completed_at=strftime(completed_at,"%H:%M:%S") | fieldformat started_at=strftime(started_at,"%H:%M:%S") | eval TimeDiff=completed_at-started_at | eval JobLength=strftime(TimeDiff, "%M:%S") | append [ search source=XML_SRC  "<command value='job'>" | xmlkv ]

Is the XML_SRC going to work in a subsearch like that? Any suggestions on how to achieve this? If anything, I'd like to obtain just one result of the xmlkv in the subsearch. It's named file_size. But there is a bunch more I'd like to eventually include, so I figured just bringing it all in as extra fields would be best.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

helius
Path Finder
‎12-18-2014 02:48 PM

I was able to figure this out. Here is the final result:

[ search index=content_eng source="dbmon-tail://kemgr-a1p/Jobs General" | eval source=("/opt/elemental_se/web/log/*/job_"+id+"/*_emecmd.xml") | table source ] | rex field=source "job_(?<JobID>\d+)" | search "<command value='job'>" | xmlkv | stats count by JobID, file_size | appendcols [ search index=content_eng source="dbmon-tail://kemgr-a1p/Jobs General" | convert timeformat="%H%M%S" mktime(completed_at) mktime(started_at)  | fieldformat completed_at=strftime(completed_at,"%H:%M:%S")  | fieldformat started_at=strftime(started_at,"%H:%M:%S") | eval TimeDiff=completed_at-started_at  | eval JobLength=strftime(TimeDiff, "%M:%S") ] | table id started_at completed_at JobLength file_size

alt text

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

helius
Path Finder
‎12-18-2014 02:48 PM

I was able to figure this out. Here is the final result:

[ search index=content_eng source="dbmon-tail://kemgr-a1p/Jobs General" | eval source=("/opt/elemental_se/web/log/*/job_"+id+"/*_emecmd.xml") | table source ] | rex field=source "job_(?<JobID>\d+)" | search "<command value='job'>" | xmlkv | stats count by JobID, file_size | appendcols [ search index=content_eng source="dbmon-tail://kemgr-a1p/Jobs General" | convert timeformat="%H%M%S" mktime(completed_at) mktime(started_at)  | fieldformat completed_at=strftime(completed_at,"%H:%M:%S")  | fieldformat started_at=strftime(started_at,"%H:%M:%S") | eval TimeDiff=completed_at-started_at  | eval JobLength=strftime(TimeDiff, "%M:%S") ] | table id started_at completed_at JobLength file_size

alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...