- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to filter out inline result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter out inline result
Hello,
After my query my result is:
<ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>736351</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>
In my result I would like to receive only the figure between
ns2:Value tags
How can I filter this out?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response, @kamlesh_vaghela , unfortunately it does not work as expected. I forgot to mention, that these 6 digits is variable, depending on the search. In this exact case my search consists of Phone number and Method name. expected result is OTP in ns2:Value field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Please check my UPDATED ANSWER .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela , it still does not work.
Result I am getting in Verbose mode is empty table:
https://ibb.co/z6YS74x
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Can you please share your search?? Please mask confidential value in search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My original search is 9258487596 "S:METHOD_NAME=GwpVerifyPhone"
Response that I am getting:
2019-08-28 10:37:32,511 [jetty-84 - /mobiliser/channel] ERROR com.***.***.***.***.project.jms.****liser S:METHOD_NAME=GwpVerifyPhone : WebAppSessionId= : ChannelSessionId=web-***-***-e8b8-***-8796-****365e : ClientIp=217117019234 : Corridor=[RU-UNKNOWN] - Message Sent successfully: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:NotificationRequest xmlns:ns2="http://***" xmlns:ns1="http://***" xmlns:ns4="http://***" xmlns:ns3="http://***" xmlns:ns9="http://***" xmlns:ns5="http://***" xmlns:ns6="http://***" xmlns:ns10="http://***" xmlns:ns7="http://***" xmlns:ns8="http://***"><ns1:Header><ns1:Source>Wallet</ns1:Source><ns1:AppName ns1:Version="***">*DIGITAL</ns1:AppName><ns1:Timestamp>2019-08-28T10:37:29.898+03:00</ns1:Timestamp><ns1:CorrelationId>web-**-**-**-**-365e</ns1:CorrelationId><ns1:TransactionId>****</ns1:TransactionId></ns1:Header><ns3:Customer><ns6:Address><ns6:Country ns6:IS03="RUS"/></ns6:Address><ns7:Phone><ns7:PhoneType ns7:Desc="MOBILE">MOBILE</ns7:PhoneType><ns7:PhoneNum ns7:ISDCode="7">9258487596</ns7:PhoneNum></ns7:Phone><ns10:Preference><ns10:PrefLanguageCode>RU</ns10:PrefLanguageCode></ns10:Preference></ns3:Customer><ns2:MessageType>5010</ns2:MessageType><ns2:MessageChannelPreference>SMS</ns2:MessageChannelPreference><ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>342719</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>
And all i need to be visible instead of all this response is 6 digits between ns2:Value fields. In this case - 342719, but as I mentioned before this is variable and it changes, as OTP is generated by the system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Please check my UPDATED ANSWER VERSION:2 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela you are the superstar! Thank You!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
You can use spath here.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/spath
Try this:
YOUR_SEARCH | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:Value" as Value | table Value
Sample Search:
| makeresults | eval _raw="<ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>736351</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>" | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:Value" as Value | table Value
AND if you want to display values in a different row then just add below search.
| mvexpand Value
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/mvexpand
UPDATED ANSWER
Try this:
YOUR_SEARCH | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:*" as * | eval temp = mvzip(Name,Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1) | table Name Value
Sample Search:
| makeresults | eval _raw="<ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>736351</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>" | spath | rename "ns2:MessageValues.ns2:MessageValue.ns2:*" as * | eval temp = mvzip(Name,Value) | mvexpand temp | eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1) | table Name Value
UPDATED ANSWER VERSION:2
As per your provided sample events I have made a few changes in my previous search.
YOUR_SEARCH | rex field=_raw "(?<data><ns2:NotificationRequest(.+?)<\/ns2:NotificationRequest>)"
| eval _raw=data
| spath
| rename "ns2:NotificationRequest.ns2:MessageValues.ns2:MessageValue.ns2:*" as *
| eval temp = mvzip(Name,Value)
| mvexpand temp
| eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1)
| table Name Value
Sample Search:
| makeresults
| eval _raw="2019-08-28 10:37:32,511 [jetty-84 - /mobiliser/channel] ERROR com.***.***.***.***.project.jms.****liser S:METHOD_NAME=GwpVerifyPhone : WebAppSessionId= : ChannelSessionId=web-***-***-e8b8-***-8796-****365e : ClientIp=217117019234 : Corridor=[RU-UNKNOWN] - Message Sent successfully: <?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><ns2:NotificationRequest xmlns:ns2=\"http://***\" xmlns:ns1=\"http://***\" xmlns:ns4=\"http://***\" xmlns:ns3=\"http://***\" xmlns:ns9=\"http://***\" xmlns:ns5=\"http://***\" xmlns:ns6=\"http://***\" xmlns:ns10=\"http://***\" xmlns:ns7=\"http://***\" xmlns:ns8=\"http://***\"><ns1:Header><ns1:Source>Wallet</ns1:Source><ns1:AppName ns1:Version=\"***\">*DIGITAL</ns1:AppName><ns1:Timestamp>2019-08-28T10:37:29.898+03:00</ns1:Timestamp><ns1:CorrelationId>web-**-**-**-**-365e</ns1:CorrelationId><ns1:TransactionId>****</ns1:TransactionId></ns1:Header><ns3:Customer><ns6:Address><ns6:Country ns6:IS03=\"RUS\"/></ns6:Address><ns7:Phone><ns7:PhoneType ns7:Desc=\"MOBILE\">MOBILE</ns7:PhoneType><ns7:PhoneNum ns7:ISDCode=\"7\">9258487596</ns7:PhoneNum></ns7:Phone><ns10:Preference><ns10:PrefLanguageCode>RU</ns10:PrefLanguageCode></ns10:Preference></ns3:Customer><ns2:MessageType>5010</ns2:MessageType><ns2:MessageChannelPreference>SMS</ns2:MessageChannelPreference><ns2:OriginCountry>RUS</ns2:OriginCountry><ns2:MessageValues><ns2:MessageValue><ns2:Name>SendType</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>MessageCategory</ns2:Name><ns2:Value>S</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverCountry</ns2:Name><ns2:Value>RUS</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>ReceiverLanguage</ns2:Name><ns2:Value>ru</ns2:Value></ns2:MessageValue><ns2:MessageValue><ns2:Name>OTP</ns2:Name><ns2:Value>342719</ns2:Value></ns2:MessageValue></ns2:MessageValues></ns2:NotificationRequest>"
| rex field=_raw "(?<data><ns2:NotificationRequest(.+?)<\/ns2:NotificationRequest>)"
| eval _raw=data
| spath
| rename "ns2:NotificationRequest.ns2:MessageValues.ns2:MessageValue.ns2:*" as *
| eval temp = mvzip(Name,Value)
| mvexpand temp
| eval Name=mvindex(split(temp,","),0),Value=mvindex(split(temp,","),1)
| table Name Value
Happy Splunking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
Glad to help you. Please upvote any comments which help you to understand the solution and accept this answer to close this question.
Happy Splunking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@alivesince92
We can not see your mentioned fields or XML tags. Can you please use code block for that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your notice. Already updated.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
