Splunk Search

Monitoring XML files in directory, why isn't splunk giving expected result?

adityaanand
Explorer

Hi,
I am trying to monitor a directory which contains multiple XML file which may contains exactly same contains or different.
I have selected source type automatic. After indexing data it created total number of event as the number of files in directory. i.e. splunk considering each file as one event.
My XML file look like:

  <Details>
       <Location>
         <Region>APAC</Region>
         <Country>India</Country>
         <State>Karnataka</State>        
         <City>Bangalore</City>
      </Location>        
 </Details>    
 <TargetMachines>
      <TargetMachine Name="win7a2" IPAddress="10.167.177.30" Status="Running" >
           <Tasks>
                   <Task TaskSer="137" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)"  Status="Fail">
                       <Steps>
                              <Step ID="f2b56177-" Name="ARIA PM" Status="Pass" StepSer="4738" />
                              <Step ID="46b4db06" Name="ARIA RO" Status="Fail" StepSer="4739">
                              <Step ID="3de785d5-c6" Name="Deluxe Reports" Status="NotStarted" StepSer="4742" />
                               ...........
                               ...........
                        <Steps>
                   <Task>
              <Tasks>
   </TargetMachine>
   <TargetMachine Name="win7a3" IPAddress="10.167.177.31" Status="NoCommunication" >
           <Tasks>
                   <Task TaskSer="138" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)"  Status="Fail">
                       <Steps>
                              <Step ID="f2b56174-" Name="ARIA PM" Status="Pass" StepSer="4656" />
                              <Step ID="46b4db03" Name="ARIA RO" Status="Fail" StepSer="4657">
                              <Step ID="3de785d5" Name="Deluxe Reports" Status="NotStarted" StepSer="4658" />
                               ..................
                              ..................
                        <Steps>
                   <Task>
              <Tasks>
   </TargetMachine>

</TargetMachines>
And so on...

Now
Splunk searches I want to achieve:
1.Count of Unique IPAddress by Region/State/City
2. count of Unique IPAddress by Status ( Here Status of <TargetMachine> tag) in a specific Region( for ex- APAC)

I have tried following query for question 1.

source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12"
 |spath output="Region" path="RSDReport.SiteDetail.Location.Region"
 | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" |stats dc(IPAddress) by Region

It is giving correct output.

I did same way for question 2.

source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12"|spath 
|spath output="Region" path="RSDReport.SiteDetail.Location.Region" 
|search Region ="AMEA" 
| spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" 
|stats dc(IPAddress) by  RSDReport.TargetMachines.TargetMachine{@Status}

But it is not giving expected result.

Please help .

Regards,
Aditya

0 Karma

woodcock
Esteemed Legend

You have two | spath in a row. So fix that first:

 source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12" | spath output="Region" path="RSDReport.SiteDetail.Location.Region" | search Region ="AMEA" | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" | stats dc(IPAddress) by RSDReport.TargetMachines.TargetMachine{@Status}

If it still doesn't work, your curly-braces may be being misinterpreted (it would definitely help if you gave us any error text that is resulting); try this:

 source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12" | spath output="Region" path="RSDReport.SiteDetail.Location.Region" | search Region ="AMEA" | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" | stats dc(IPAddress) by $RSDReport.TargetMachines.TargetMachine{@Status}$

Or maybe this:

 source="C:\\Users\\gbisht\\Desktop\\Data Analytics\\RSD_Demo_Global_2\\*" host="PU4LDPSHT12" | spath output="Region" path="RSDReport.SiteDetail.Location.Region" | search Region ="AMEA" | spath output="IPAddress" path="RSDReport.TargetMachines.TargetMachine{@IPAddress}" | stats dc(IPAddress) by RSDReport.TargetMachines.TargetMachine*Status*
0 Karma

adityaanand
Explorer

After using above all the query, It is giving No Result Found .
But when i add one extra spath after host, it gives some result but not correct. I mean, as i written above.

0 Karma

woodcock
Esteemed Legend

The general approach in these situations is to strip off everything after the last pipe ("|") and keep doing this until you get data that makes sense. Then add them back in going the other way one-by-one and figure out what you did wrong.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...