Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

XML Field Extraction -- Multiple Lines

ksimpkins
New Member
‎03-12-2013 06:21 AM

I am new to Splunk and have been messing with this for about a week so I am looking to the community to help. I pretty much have multiple xml errors that I am trying to extract the error code "VOSCM0000I", the severity "Info" and the message "Transaction successful" out of multiple lines over a duration. Top offender over a period of time.

Any thoughts?

 <ResponseMessage>
    <mes:StatusCode>1</mes:StatusCode>
    <mes:BusinessMessage>
      <mes:Code>VOSCM0000I</mes:Code>
      <mes:Severity>Info</mes:Severity>
      <mes:LocalizedMessage>Transaction successful</mes:LocalizedMessage>
    </mes:BusinessMessage>
    <mes:BusinessMessage>
      <mes:Code>RENTAL003067</mes:Code>
      <mes:Severity>Error</mes:Severity>
      <mes:FieldName>ValidateTicketInput.ticket</mes:FieldName>
      <mes:LocalizedMessage>Total renter charge amount for this ticket obtained from pricing and payment is not matching.</mes:LocalizedMessage>
    </mes:BusinessMessage>
  </ResponseMessage>
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-12-2013 10:02 AM

I like Martin's solution, but I would finish it differently. Either should work, though.

yoursearchhere
| spath output=msg path=ResponseMessage.mes:BusinessMessage 
| mvexpand msg
| rex "(?m)mes\:Code\>(?<Code>.*?)\<.*?mes\:Severity\>(?<Severity>.*?)\<.*?mes\:LocalizedMessage\>(?<Message>.*?)\<"
| top Code Severity Message

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-12-2013 10:02 AM

I like Martin's solution, but I would finish it differently. Either should work, though.

yoursearchhere
| spath output=msg path=ResponseMessage.mes:BusinessMessage 
| mvexpand msg
| rex "(?m)mes\:Code\>(?<Code>.*?)\<.*?mes\:Severity\>(?<Severity>.*?)\<.*?mes\:LocalizedMessage\>(?<Message>.*?)\<"
| top Code Severity Message
Reply
Solved! Jump to solution

lguinn2
Legend
‎03-12-2013 11:20 AM

Good point - I wasn't thinking about the fact that XML is order-independent for subelements.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-12-2013 10:07 AM

An upside to the spath way is that it ignores different orderings and allows for optional elements without mucking up the regular expression - if for instance there were events with no localized message the expression would not match at all.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-12-2013 09:24 AM

For the extraction spath is your friend:

...  | spath output=msg path=ResponseMessage.mes:BusinessMessage | mvexpand msg | spath input=msg output=Code path=mes:Code | and so on
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...