900
@yograjpatel, following is a run anywhere search based on your mock data (anonymized), which extracts the XML Data using regular expressions using the rex
command and then parses/extracts the field using spath
command. The round()
function is used to convert Amount to two digits precision.
| makeresults
| eval _raw="13:22:17,351 ABCDefghijHGFDSAab1HabcAB INFO [com.abc.def.webservices.impl.KioskIntegrationServicePortTypeImpl] (http-/120.10.10.0:8000-4) RWS to POS Request:
<tillID>120</tillID>
<registerID>321</registerID>
<storeID>111</storeID>
<amount>203.009999999999990905052982270717620849609375</amount>
<mop>MASTERCARD</mop>"
| rex field=_raw "(?ms)RWS to POS Request:\s+(?<xml_data>.*)"
| spath input=xml_data path=tillID output=tillID
| spath input=xml_data path=registerID output=registerID
| spath input=xml_data path=storeID output=storeID
| spath input=xml_data path=amount output=amount
| spath input=xml_data path=mop output=mop
| eval amount=round(amount,2)
| table tillID registerID storeID amount mop
PS: You will not need the first two pipes, which are used just to mimic the sample data provided. You can add your own base search instead.
Hi Niket,
The answer provided will extract only for that particular event. what if there are multiple?
As far as your events have "RWS to POS Request:" followed by XML Data, the following search should work.
<YourBaseSearchWithIndexSourcetypeAndOtherFilters> "RWS to POS Request:"
| rex field=_raw "(?ms)RWS to POS Request:\s+(?<xml_data>.*)"
| spath input=xml_data path=tillID output=tillID
| spath input=xml_data path=registerID output=registerID
| spath input=xml_data path=storeID output=storeID
| spath input=xml_data path=amount output=amount
| spath input=xml_data path=mop output=mop
| eval amount=round(amount,2)
| table tillID registerID storeID amount mop
Based on your actual sample data your regular expression might change. You can test your Regular Expression on regex101.com. If your data varies you should add more sample data. Make sure you mock/anonymize sensitive information.
Hi Niket,
I see the query is working but the table ouput is all empty. I do see 35 events in last 10 mins but no data it the table statistics.
You can test Regular expression RWS to POS Request:\s+(?<xml_data>.*)
on regex101.com with some sample data from yuor logs like the one you have posted. You might have to change the regular expression based on your data.
event snippet is like this:
8/4/17
1:22:17.351 PM
13:22:17,351 OZqYohdqfDMZQPTxk5JruzNT INFO com.cox.rws.webservices.impl.KioskIntegrationServicePortTypeImpl RWS to POS Request:
<tillID>900</tillID>
<registerID>200</registerID>
<storeID>138</storeID>
<amount>203.009999999999990905052982270717620849609375</amount>
<mop>MASTERCARD</mop>