How can I order events based on how they appear in...

mawomommoh · ‎01-25-2018

I have an XML file which is in this format:

<?xml version="1.0"?>
<EvaluateMethods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <DataCollectionMethods>
    <DataCollectionMethod Description="xxx" StepResult="Passed">
      <Steps>
        <Step xsi:type="xxx" Description="Dataxxx" StepResult="Passed">
          <Steps>
            <Step xsi:type="xxx" Description="Survey" StepResult="Passed" />
            <Step xsi:type="xxx" Description="Analyze survey" StepResult="Passed" />
            <Step xsi:type="xxx" Description="Extract data" StepResult="Skipped" />
            <Step xsi:type="xxx" Description="Analyze data" StepResult="Passed" />
            <Step xsi:type="xxx" Description="Combine data from various sources" StepResult="Passed" />
            <Step xsi:type="xxx" Description="Deliver results" StepResult="Failed" />
            <Step xsi:type="xxx" Description="Get feedback" StepResult="Passed" />
            <Step xsi:type="xxx" Description="Process feedback" StepResult="Passed" />
            <Step xsi:type="xxx" Description="Make improvements" StepResult="Passed" />
          </Steps>
        </Step>
      </Steps>
      <Start>2022-09-05T99:64:73.0990042+22:00</Start>
      <Files />
    </DataCollectionMethod>
  </DataCollectionMethods>
</EvaluateMethods>

There are no timestamps to the steps. After adding the file to splunk, the events (comprising of the Description and StepResult) appear in alphabetical order (using the Description) when I do a splunk search. How do I order the output of my search to appear in the same order they were in the XML file (i.e. how can I make the result of my search to be displayed step-by-step as contained in the XML file?)... Thanks

DalJeanis · ‎01-26-2018

Here's one way

| makeresults 
| eval myJSON="<?xml version=\"1.0\"?>
 <EvaluateMethods xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">
   <DataCollectionMethods>
     <DataCollectionMethod Description=\"xxx\" StepResult=\"Passed\">
       <Steps>
         <Step xsi:type=\"xxx\" Description=\"Dataxxx\" StepResult=\"Passed\">
           <Steps>
             <Step xsi:type=\"xxx\" Description=\"Survey\" StepResult=\"Passed\" />
             <Step xsi:type=\"xxx\" Description=\"Analyze survey\" StepResult=\"Passed\" />
             <Step xsi:type=\"xxx\" Description=\"Extract data\" StepResult=\"Skipped\" />
             <Step xsi:type=\"xxx\" Description=\"Analyze data\" StepResult=\"Passed\" />
             <Step xsi:type=\"xxx\" Description=\"Combine data from various sources\" StepResult=\"Passed\" />
             <Step xsi:type=\"xxx\" Description=\"Deliver results\" StepResult=\"Failed\" />
             <Step xsi:type=\"xxx\" Description=\"Get feedback\" StepResult=\"Passed\" />
             <Step xsi:type=\"xxx\" Description=\"Process feedback\" StepResult=\"Passed\" />
             <Step xsi:type=\"xxx\" Description=\"Make improvements\" StepResult=\"Passed\" />
           </Steps>
         </Step>
       </Steps>
       <Start>2022-09-05T99:64:73.0990042+22:00</Start>
       <Files />
     </DataCollectionMethod>
   </DataCollectionMethods>
 </EvaluateMethods>"
 | rename COMMENT as "The above just enters your sample JSON as a single event"

 | rex field=myJSON max_match=0 "\<Step\sxsi:type=\"(?<xsitype>[^\"]*)\"\s*Description=\"(?<Description>[^\"]*)\"\s*StepResult=\"(?<StepResult>[^\"]*)\""
 | eval mycount=mvcount(Description)
 | eval counter=mvrange(0,mycount)
 | eval zipped= mvzip(mvzip(mvzip(counter,xsitype,"!!!!"),Description,"!!!!"),StepResult,"!!!!")
 | mvexpand zipped
 | fields zipped
 | rex field=zipped "^(?<counter>.*?)!!!!(?<xsitype>.*?)!!!!(?<Description>.*?)!!!!(?<StepResult>.*)"

DalJeanis · ‎01-25-2018

does the data actually have steps within steps?

logically, you have

<steps> 
    <step> 
        <steps>
             <step />
             <step /> 
             <step />
       </steps>
    </step>
</steps>

mawomommoh · ‎01-26-2018

Yes, the data has steps within steps.

DalJeanis · ‎01-26-2018

Do you need to differentiate between the hierarchical levels?

mawomommoh · ‎01-26-2018

I just need to get a key:value pair of the Description and the StepResult of this portion of the file in the order they appear:

<Steps>
             <Step xsi:type="xxx" Description="Survey" StepResult="Passed" />
             <Step xsi:type="xxx" Description="Analyze survey" StepResult="Passed" />
             <Step xsi:type="xxx" Description="Extract data" StepResult="Skipped" />
             <Step xsi:type="xxx" Description="Analyze data" StepResult="Passed" />
             <Step xsi:type="xxx" Description="Combine data from various sources" StepResult="Passed" />
             <Step xsi:type="xxx" Description="Deliver results" StepResult="Failed" />
             <Step xsi:type="xxx" Description="Get feedback" StepResult="Passed" />
             <Step xsi:type="xxx" Description="Process feedback" StepResult="Passed" />
             <Step xsi:type="xxx" Description="Make improvements" StepResult="Passed" />
           </Steps>

So in essence, the Description and StepResult will be field names (in a tabular form) made up of the field values appearing in the same order shown in the file. The order is determined by the Description (not alphabetically, but as in the file).

How can I order events based on how they appear in a file?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!