I have uploaded the below XML data into Splunk Light. Can someone give me a query to get only the value from the tag ? So I can create a dashboard from this result that if MessageID has values, the request reached the destination.
<part name="reqdata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CreateOrderRequest
xmlns=""
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<TransactionHeader>
<Action>CREATE</Action>
<MessageID>1-6348871101_01/07/2019 05:52:27
</MessageID>
<SourceApplication>SRS1</SourceApplication>
<SourceComponent>Submit Order</SourceComponent>
<TargetApplication>XXX</TargetApplication>
<TargetComponent>Submit Order</TargetComponent>
</TransactionHeader>
</CreateOrderRequest>
</part>
Hi,
spath would definitely work but that would also create unnecessary fields if you are just interested in MessageID then you can try this:
index=<your_index> | rex field=_raw "\<MessageID\>(?<MessageID>[^\<]+)" | search MessageID=*
let me know if this helps!
Hi @rohithshettyge,
You can use spath
in your query so your query will be like this
<yourBaseQuery> | spath
Here is run anywhere search
| makeresults
| eval _raw="<part name=\"reqdata\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<CreateOrderRequest
xmlns=\"\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">
<TransactionHeader>
<Action>CREATE</Action>
<MessageID>1-6348871101_01/07/2019 05:52:27
</MessageID>
<SourceApplication>SRS1</SourceApplication>
<SourceComponent>Submit Order</SourceComponent>
<TargetApplication>XXX</TargetApplication>
<TargetComponent>Submit Order</TargetComponent>
</TransactionHeader>
</CreateOrderRequest>
</part>"
| spath