Re: Can you help me extract field values and displ...

harishnpandey · ‎01-30-2019

XYZ
JACK
479
Cannot update Employee record
10300458578837

Above data is in XML format and I need to get below result

1) Extract field values and display those values as responseTypeCode requestSourceCode responseMessage correlationId.
2) Get the count based on requestSourceCode,responseTypeCode,responseCode

chrisyounger · ‎01-30-2019

Hi @harishnpandey

Try using |spath using the following documentation as a guide: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#Basic_examples

Then use |stats count by requestSourceCode responseTypeCode responseCode

Here is an example:

|makeresults | eval _raw =  "<responseTypeCode>XYZ</responseTypeCode>
   <requestSourceCode>JACK</requestSourceCode>
   <responseCode>479</responseCode>
   <responseMessage>Cannot update Employee record</responseMessage>
   <correlationId>10300458578837</correlationId>"
   | spath | stats count by requestSourceCode responseCode responseMessage

Hope this is helpful

harishnpandey · ‎01-30-2019

Below is my xml data and similarly I have thousands of records logged into file

[1/30/19 13:20:28:237 EST] 000001d2 AppServi E   <?xml version="1.0" encoding="UTF-8"?>
<UpdateEmpInformationResponse xsi:type="in:UpdatePolicyInformationResponse" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:in="http://abc.ig.com/com/internal/interfaceobjects">
  <responseTypeCode>UBI</responseTypeCode>
  <requestSourceCode>JIU</requestSourceCode>
  <responseCode>479</responseCode>
  <responseMessage>Cannot update Employee record</responseMessage>
  <correlationId>10300458578837</correlationId>
  <error>
    <errorMessageDescription>ChoreographUpdateEmpInformation - Cannot update Employee record</errorMessageDescription>
    <errorCode>479</errorCode>
  </error>
</UpdateEmpInformationResponse>

harishnpandey · ‎01-30-2019

thanks for your quick reply. But i dont want to limit my search to above .I need to search through entire log file and get the result .

woodcock · ‎01-30-2019

He is giving you a run-anywhere example to PROVE to you that line #6 will do what you need. Take line #6 and append it to your existing search. Profit. Come back here and click Accept and UpVote.

chrisyounger · ‎01-30-2019

Yep my example should work with your whole dataset. Just do it like this: <your search> | spath | stats count by requestSourceCode responseCode responseMessage

chrisyounger · ‎01-30-2019

If your data is more complicated than you have shown here then this query will require a few changes

harishnpandey · ‎01-30-2019

Data is in XML format 

<responseTypeCode>XYZ</responseTypeCode>
  <requestSourceCode>JACK</requestSourceCode>
  <responseCode>479</responseCode>
  <responseMessage>Cannot update Employee record</responseMessage>
  <correlationId>10300458578837</correlationId>

harishnpandey · ‎01-31-2019

I tried suggested spath option no luck 😞

chrisyounger · ‎01-31-2019

If you post the entire contents of a single event (from splunk not raw data) we will be better able to help you

Can you help me extract field values and display those values as responseTypeCode requestSourceCode responseMessage correlationId?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team