Given the following event log XML (sample) data:
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!--This file represents the results of running a test suite-->
<test-results total="2" errors="0" failures="1" not-run="2" inconclusive="0" ignored="2" skipped="0" invalid="0" date="2015-08-18" time="12:36:04">
<test-suite type="Assembly" name="Smoke.Tests.dll" executed="True" result="Failure" success="False" time="40.000" asserts="0">
<results>
<test-suite type="Namespace" name="MyTestSuite" executed="True" result="Failure" success="False" time="40.000" asserts="0">
<results>
<test-suite type="TestFixture" name="Feature1" description="Description1" executed="True" result="Success" time="20.000">
<results>
<test-case name="Test1" description="TestDescription1" executed="True" result="Success"/>
</results>
</test-suite>
<test-suite type="TestFixture" name="Feature2" description="Description2" executed="False" result="Ignored">
<results>
<test-case name="Test2" description="TestDescription2" executed="False" result="Ignored"/>
</results>
</test-suite>
<test-suite type="TestFixture" name="Feature3" description="Description3" executed="True" result="Fail" time="20.000">
<results>
<test-case name="Test3" description="TestDescription3" executed="True" result="Fail"/>
</results>
</test-suite>
<test-suite type="TestFixture" name="Feature14" description="Description4" executed="False" result="Ignored">
<results>
<test-case name="Test4" description="TestDescription4" executed="False" result="Ignored"/>
<test-case name="Test5" description="TestDescription5" executed="False" result="Ignored"/>
<test-case name="Test6" description="TestDescription6" executed="False" result="Ignored"/>
</results>
</test-suite>
</results>
</test-suite>
</results>
</test-suite>
</test-results>
Is it possible to generate 2 tables of results similar to that below (includes 'group' data too) for only those Test Fixtures where executed=True:
Name Description Result TimeTaken
Feature1 Description1 Success 20.000
Feature3 Description3 Fail 20.000
Date Time Ran Ignored Failed Errored TotalTime
2015-08-18 12:36:04 2 2 1 0 40.000
Two things you need to consider.
1) spath has an extraction cutoff that its default is the first 5000 bytes. So if your XML event is greater than 5000 bytes. spath will not extract all fields.
2) It your event is greater than 10K characters. You need to assure that the whole event is ingested and not truncated.
To address these two cases you could use the following configuration files:
1) /opt/splunk/etc/system/local/inputs.conf
[your_sourcetype_name]
TRUNCATE = 0
2) /opt/splunk/etc/system/local/limits.conf
[spath]
extraction_cutoff = 10000
Then, restart splunk.
I hope it helps...
Lp
For more information
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Limitsconf
http://docs.splunk.com/Documentation/Splunk/6.2.5/Admin/Inputsconf
I've read about this, and did mention the 5000 limit in my last comment. However, as useful as this is, it is not an answer to the question.
The question is how to obtain multiple XML query results (i.e. from multiple elements that match the query) from a each single XML event log and display them as a table.
Thanks.
I can generate the summary results using the following:
sourcetype="xml" | spath output="Total" path=test-results.test-suite{1}{@time} | rename total as "Ran" | rename success as "Overall Result" | table date, time, "Ran", ignored, failures, errors, "TotalTime"
(Please ignore the namings of the headers)
As these fileds are automatically generated by Splunk (I assume from the processing of the first 5000 chars of the file - though I can't get to any Splunk Server config files).