Hi..
I am trying to create a dashboard which extracts errorCode field from multiple xmls. Xpath for it would be different for different outputs. For ex: for createUser it is abc and for deleteUser it would be xyz. I need to have the xpath dynamic which extracts errorCode alone. I am trying with below expression which I know makes no sense. Please help.
|rex "(?.),(?.),(?.),(?.),(?s)(?.*)" | spath input=PAYLOAD output=fault path="*errorCode" |stats count(fault) as FaultCount by fault
The above is retrieving zero results.
If you have multiple different XML
formats, but the same tag name, then you would probably be better off using a rex
to extract it, rather than spath
.
Try this -
| rex "\<errorCode\>\s+?(?<errorCode>\S[^<]+?)\s+?\<\/errorCode\>"
Over at regex101.com that one managed to pull the reallygoodstuff
out of this one...
<biggerstuff> <stuff> we dont care about this </stuff> <errorCode> reallygoodstuff </errorCode> </biggerstuff>
... and thereally good stuff
out of this one ...
<biggerstuff> <morestuff> this is just extra </morestuff> <stuff> we dont care about this </stuff> <errorCode> really good stuff </errorCode> <junk> and I really hate this junk </junk> </biggerstuff>
Sir. Thanks for the reply. But I am unable to apply this to splunk dash board. I am clueless about the mistake.
host="xyz*" index="abc" (",log_," ) | rex "(?.),(?.),(?.),(?.),(?s)(?.)" |rex fault=PAYLOAD "\s+?(?\S[^<]+?)\s+?<\/errorCode>"| stats count(fault) as FaultCount by fault