Re: How to group by text within a field

proctormap · ‎05-05-2016

I am trying to group by text within a specific field. I'm essentially searching a message content field called event. Within this event field, I am searching for specific errorCodes, but I also want to group by the error codes in the result. I'm not able to do an extraction because the message content is in xml format and I can't seem to extract the specific tag. Is there any way to handle this group by ask?

I want to group the results by unique values within my XML tag. If you couldn't tell...I'm new to this so I'm very appreciative of any guidance you can offer!

renjith_nair · ‎05-06-2016

You can use spath (http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Spath) to extract the field from XML at search time.

or you can use kvmode in props

     KV_MODE = [none|auto|multi|json|xml]
     * Used for search-time field extractions only.
     * Specifies the field/value extraction mode for the data.
     * Set KV_MODE to one of the following:
             * none: if you want no field/value extraction to take place.
             * auto: extracts field/value pairs separated by equal signs.
             * multi: invokes the multikv search command to expand a tabular event into multiple events.
         * xml : automatically extracts fields from XML data.
         * json: automatically extracts fields from JSON data.
     * Setting to 'none' can ensure that one or more user-created regexes are not overridden by
       automatic field/value extraction for a particular host, source, or source type, and also
       increases search performance.
     * Defaults to auto.
     * The 'xml' and 'json' modes will not extract any fields when used on data that isn't of the correct format (JSON or XML).

---
What goes around comes around. If it helps, hit it with Karma 🙂

proctormap · ‎05-06-2016

Thanks for the input Renjith - I tried using spath but my search results look the same as before I included it in my search. Where should my extracted values show up?

| spath output=errorCode path=cart.errorData.error.errorCode

I don't believe the KV_mode is an option for me.

renjith_nair · ‎05-18-2016

Do you have a sample xml snippet to look at ? please do not psot any sensitive data , mask it

---
What goes around comes around. If it helps, hit it with Karma 🙂

proctormap · ‎05-19-2016

<errorData correlationId="123456789" correlationType="cartItem">
    <error>
        <errorCode>CART_ERR_111</errorCode>
        <description>Inventory is not available for the item 123456789.</description>
        <errorProperties>
            <errorProperty>
                <name>inventory</name>
                <value>1</value>
            </errorProperty>
        </errorProperties>
    </error>
</errorData>

proctormap · ‎05-19-2016

here is my spath statement -

| spath output=errorCode path=cart.errorData.error.errorCode

renjith_nair · ‎05-23-2016

This is what I tried and I got error code as a field

|stats count|eval abc="<cart>
 <errorData correlationId=\"123456789\" correlationType=\"cartItem\">
     <error>
         <errorCode>CART_ERR_111</errorCode>
         <description>Inventory is not available for the item 123456789.</description>
         <errorProperties>
             <errorProperty>
                 <name>inventory</name>
                 <value>1</value>
             </errorProperty>
         </errorProperties>
     </error>
 </errorData>
</cart>"|spath input=abc output=errorCode path=cart.errorData.error.errorCode|table errorCode

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to group by text within a field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases