Solved: Re: Help Needed with Regular Expression

rishiaggarwal · ‎01-28-2016

Hi All,

i am newbie to splunk platform and seeking some help in writing a regular expression to pull a "" value from the XML type log. Sample XML is as mentioned below.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope">
    <S:Body>
        <Response xmlns="http://soa.comptel.com/2011/02/instantlink">
            <ResponseHeader>
                <RequestId>83506576</RequestId>
                <Status>9</Status>
                <OrderNo />
                <StatusMessage>Request Ready</StatusMessage>
                <StatusMessageId>RC-0000</StatusMessageId>
                <Priority>5</Priority>
                <ReqUser>bss</ReqUser>
                <ReceivedDate>2016-01-29T11:27:15.951+11:00</ReceivedDate>
                <FinishedDate>2016-01-29T11:27:17.033+11:00</FinishedDate>
            </ResponseHeader>
            <ResponseParameters>
                <Parameter name="PREFIX" value="REMOVE_B4_TO_OSSBSS_" />
                <Parameter name="NOTIFY_INTERACTION_STATUS" value="Success" />
            </ResponseParameters>
            <RequestParameters>
                <Parameter name="NOTIFICATION_MSG_LEVEL" value="0" />
                <Parameter name="RESP_QUEUE_ID" value="SYNCSOA" />
                <Parameter name="NOTIFY_NBN_ORDER_ID" value="ORD000048321077" />
                <Parameter name="REQ_OBJ" value="1" />
                <Parameter name="SERVICE_TYPE" value="createBillingEventResponse" />
                <Parameter name="NOTIFY_CORRELATION_ID" value="4b24bd92-aee3-474a-8c99-9067fbb06ef1" />
                <Parameter name="NOTIFY_BILLING_SUCCESSFUL" value="YES" />
                <Parameter name="CLIENT_ID" value="bss" />
                <Parameter name="ORIGIN" value="1" />
                <Parameter name="REQ_TYPE" value="1" />
                <Parameter name="NOTIFY_ACCESS_SEEKER_ID" value="ASI000000000035" />
            </RequestParameters>
        </Response>
    </S:Body>
</S:Envelope>

From above log i wish to access NOTIFY_CORRELATION_ID for which value = 4b24bd92-aee3-474a-8c99-9067fbb06ef1

Can anyone please suggest me a search sub string ?

Example : | xpath field=message outfield=CORRELATION_ID "//RequestParameters/[ID='NOTIFY_CORRELATION_ID']/../value"

Best Regards
Rishi

jbjerke_splunk · ‎01-29-2016

Hi rishiaggarwal

Try this one:

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<NOTIFY_CORRELATION_ID>[^\"]+)"

If correct, please mark as answered so we can close this post.

j

View solution in original post

jbjerke_splunk · ‎01-29-2016

Hi rishiaggarwal

Try this one:

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<NOTIFY_CORRELATION_ID>[^\"]+)"

If correct, please mark as answered so we can close this post.

j

Murali2888 · ‎01-28-2016

if the NOTIFY_CORRELATION_ID is occurring once per message then you can use

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^"]"

if there is multiple occurrence per message you can add max_match=0 with the rex command which will extract a multi-value field per event.

rishiaggarwal · ‎01-28-2016

Thanks for the response. While running this query i am getting an error "Mismatched ']'."

gcato · ‎01-28-2016

Try backslashing escaping the second to last quote (") and closing parenthesis ...

| rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^\"])"

gcato · ‎01-28-2016

Oh... and a + after the ]

 | rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?<CorrelationID>[^\"]+)"

Murali2888 · ‎01-28-2016

Apologies. I missed a bracket there | rex "Parameter name=\"NOTIFY_CORRELATION_ID\" value=\"(?[^"]*)"

Help Needed with Regular Expression

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio