XYZ
JACK
479
Cannot update Employee record
10300458578837
Above data is in XML format and I need to get below result
1) Extract field values and display those values as responseTypeCode requestSourceCode responseMessage correlationId.
2) Get the count based on requestSourceCode,responseTypeCode,responseCode
Hi @harishnpandey
Try using |spath
using the following documentation as a guide: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath#Basic_examples
Then use |stats count by requestSourceCode responseTypeCode responseCode
Here is an example:
|makeresults | eval _raw = "<responseTypeCode>XYZ</responseTypeCode>
<requestSourceCode>JACK</requestSourceCode>
<responseCode>479</responseCode>
<responseMessage>Cannot update Employee record</responseMessage>
<correlationId>10300458578837</correlationId>"
| spath | stats count by requestSourceCode responseCode responseMessage
Hope this is helpful
Below is my xml data and similarly I have thousands of records logged into file
[1/30/19 13:20:28:237 EST] 000001d2 AppServi E <?xml version="1.0" encoding="UTF-8"?>
<UpdateEmpInformationResponse xsi:type="in:UpdatePolicyInformationResponse" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:in="http://abc.ig.com/com/internal/interfaceobjects">
<responseTypeCode>UBI</responseTypeCode>
<requestSourceCode>JIU</requestSourceCode>
<responseCode>479</responseCode>
<responseMessage>Cannot update Employee record</responseMessage>
<correlationId>10300458578837</correlationId>
<error>
<errorMessageDescription>ChoreographUpdateEmpInformation - Cannot update Employee record</errorMessageDescription>
<errorCode>479</errorCode>
</error>
</UpdateEmpInformationResponse>
thanks for your quick reply. But i dont want to limit my search to above .I need to search through entire log file and get the result .
He is giving you a run-anywhere example to PROVE to you that line #6 will do what you need. Take line #6 and append it to your existing search. Profit. Come back here and click Accept
and UpVote
.
Yep my example should work with your whole dataset. Just do it like this: <your search> | spath | stats count by requestSourceCode responseCode responseMessage
If your data is more complicated than you have shown here then this query will require a few changes
Data is in XML format
<responseTypeCode>XYZ</responseTypeCode>
<requestSourceCode>JACK</requestSourceCode>
<responseCode>479</responseCode>
<responseMessage>Cannot update Employee record</responseMessage>
<correlationId>10300458578837</correlationId>
I tried suggested spath option no luck 😞
If you post the entire contents of a single event (from splunk not raw data) we will be better able to help you