rex expression to extract field from XML message

keeplearningbud · ‎05-04-2017

Hi..

I am trying to create a dashboard which extracts errorCode field from multiple xmls. Xpath for it would be different for different outputs. For ex: for createUser it is abc and for deleteUser it would be xyz. I need to have the xpath dynamic which extracts errorCode alone. I am trying with below expression which I know makes no sense. Please help.

|rex "(?.),(?.),(?.),(?.),(?s)(?.*)" | spath input=PAYLOAD output=fault path="*errorCode" |stats count(fault) as FaultCount by fault

The above is retrieving zero results.

DalJeanis · ‎05-04-2017

If you have multiple different XML formats, but the same tag name, then you would probably be better off using a rex to extract it, rather than spath.

Try this -

| rex  "\<errorCode\>\s+?(?<errorCode>\S[^<]+?)\s+?\<\/errorCode\>"

Over at regex101.com that one managed to pull the reallygoodstuff out of this one...

<biggerstuff>  <stuff> we dont care about this  </stuff> <errorCode> reallygoodstuff </errorCode> </biggerstuff>

... and thereally good stuff out of this one ...

<biggerstuff> <morestuff> this is just extra </morestuff> <stuff> we dont care about this  </stuff> <errorCode> really good stuff </errorCode> <junk> and I really hate this junk </junk> </biggerstuff>

keeplearningbud · ‎05-04-2017

Sir. Thanks for the reply. But I am unable to apply this to splunk dash board. I am clueless about the mistake.

host="xyz*" index="abc" (",log_," ) | rex "(?.),(?.),(?.),(?.),(?s)(?.)" |rex fault=PAYLOAD "\s+?(?\S[^<]+?)\s+?<\/errorCode>"| stats count(fault) as FaultCount by fault

rex expression to extract field from XML message

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life