Splunk Search

rex expression to extract field from XML message

keeplearningbud
New Member

Hi..

I am trying to create a dashboard which extracts errorCode field from multiple xmls. Xpath for it would be different for different outputs. For ex: for createUser it is abc and for deleteUser it would be xyz. I need to have the xpath dynamic which extracts errorCode alone. I am trying with below expression which I know makes no sense. Please help.

|rex "(?.),(?.),(?.),(?.),(?s)(?.*)" | spath input=PAYLOAD output=fault path="*errorCode" |stats count(fault) as FaultCount by fault

The above is retrieving zero results.

Tags (4)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If you have multiple different XML formats, but the same tag name, then you would probably be better off using a rex to extract it, rather than spath.

Try this -

| rex  "\<errorCode\>\s+?(?<errorCode>\S[^<]+?)\s+?\<\/errorCode\>"

Over at regex101.com that one managed to pull the reallygoodstuff out of this one...

<biggerstuff>  <stuff> we dont care about this  </stuff> <errorCode> reallygoodstuff </errorCode> </biggerstuff>  

... and thereally good stuff out of this one ...

<biggerstuff> <morestuff> this is just extra </morestuff> <stuff> we dont care about this  </stuff> <errorCode> really good stuff </errorCode> <junk> and I really hate this junk </junk> </biggerstuff> 
0 Karma

keeplearningbud
New Member

Sir. Thanks for the reply. But I am unable to apply this to splunk dash board. I am clueless about the mistake.

host="xyz*" index="abc" (",log_," ) | rex "(?.),(?.),(?.),(?.),(?s)(?.)" |rex fault=PAYLOAD "\s+?(?\S[^<]+?)\s+?<\/errorCode>"| stats count(fault) as FaultCount by fault

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...