Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i extract keywords from my log as field values for field name API's

Sujithkumarkb
Observer
‎01-09-2020 03:52 AM

How can i extract the below block letter keywords (OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ..)from my log as field values for field name API's?

2020-01-09 03:58:08,280 INFO com.hti.gw.interceptor.ServiceInterceptor (Hughes_Tre13342)
<OrderUpdateWithAccountInfoRequest ** xmlns:ns5=".......
2020-01-08 06:25:25,836 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <VinValidationRequest** xmlns:ns2="http://www.hughestelematics.com.....
2020-01-08 06:25:25,546 INFO com.vzt.pg.AbstractMiddlewareDelegate (AMP_RptDqckdAsT5ldcFG8eh_tdzbmtxux44z850) <GetEntitledRequest xmlns:ns2="ht......
2020-01-08 06:20:13,637 INFO com.vzt.pg.AbstractMiddlewareDelegate
(AMP_RptDqckdAsT5ldcFG8eh_9wiiwnvakzcdc66) <VinValidationRequest xmlns:ns2="http:/......

0 Karma
Reply

TISKAR
Builder
‎01-09-2020 06:53 AM

Hello :),

I simulate the extractation of API field, This is example to extract field API from log, you can past this request in your empty search and run it:

| makeresults
| eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
<OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> <second ligne>" 
| rex field=raw "OrderUpdateWithAccountInfoRequest[^API]+API=\"(?<API>[^\"]+)"
0 Karma
Reply

Sujithkumarkb
Observer
‎01-09-2020 10:22 PM

@TISKAR , thanks for your response but this rex is extracting only the value "Smile" and not OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ...

0 Karma
Reply

TISKAR
Builder
‎01-10-2020 12:29 AM

Try this:

| makeresults
 | eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
 <OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> <second ligne>" 
 | rex field=raw "<(?<API>\S+)"
0 Karma
Reply

Sujithkumarkb
Observer
‎01-10-2020 01:26 AM

@TISKAR , that works . This way i can extract one API at a time , But there are more than 400 APIs like OrderUpdateWithAccountInfoRequest ..
How can I generically run Rex and extract all APIs under the field API and save them as extracted field values

0 Karma
Reply

TISKAR
Builder
‎01-10-2020 02:16 AM

@Sujithkumarkb try to use max_match option of rex:

  | rex max_match=50 field=raw ".*<(?<API>\S+)"

Example:

| makeresults
  | eval raw="2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
  <OrderUpdateWithAccountInfoRequest xmlns:ns5=\"....\" API=\"Smile\"> 2020-01-09 03:58:08,280 INFO \[com.hti.gw.interceptor.ServiceInterceptor\] (default task-24) (Hughes_Tre13342)
  <TEST xmlns:ns5=\"....\" API=\"Smile\">" 
  | rex max_match=50 field=raw ".*<(?<API>\S+)"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-09-2020 05:20 AM

The rex command will do that at search time.

... | rex "\)\s+\<(?<API>\S+)" | ...
---
If this reply helps you, Karma would be appreciated.
Reply

Sujithkumarkb
Observer
‎01-09-2020 10:21 PM

@richgalloway Thanks for the response , but this rex is extracting only the value "?xml" and not OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest ...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2020 03:52 AM

Interesting. There is no "?xml" in your sample data so, of course, that was not tested. Is there anything else about the data we should know?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Sujithkumarkb
Observer
‎01-10-2020 04:42 AM

There is ?xml in the data , but that being extracted as the field value is not expected .
The expected extraction is OrderUpdateWithAccountInfoRequest ,VinValidationRequest,GetEntitledRequest etc shown on the raw data .

The data is api requests that are made , where i am trying to capture the API names and once filtered for it on dashboard , i will be populating its respective responses .
for example OrderUpdateWithAccountInfoRequest is a API request which i would want to add as a value in multselect and once it is selected i would populate the OrderUpdateWithAccountInfoResponse xml from raw data as output.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...