Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use spath to extract all Step Names which have a status as Fail! from my XML data?

justgovind30198
Explorer
‎07-23-2015 04:22 AM

hi,

below is my XML file format

<?xml version="1.0" encoding="UTF-8"?>
<RSDReport xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Details>
    <Region>EMEA</Region>
    <FlocID>23872378</FlocID>
    <Location>
      <Country>America</Country>
      <State>California</State>
      <City>LA</City>
      <Hospital>GetCure</Hospital>
    </Location>
  </Details>
  <TargetMachines>
    <TargetMachine Name="Demo_Machine38" IPAddress="10.0.0.38" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="43" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine39" IPAddress="10.0.0.39" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="44" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
        <Task TaskSer="45" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine40" IPAddress="10.0.0.40" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="46" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine41" IPAddress="10.0.0.41" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc01">
      <Tasks>
        <Task TaskSer="47" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine42" IPAddress="10.0.0.42" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="48" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine43" IPAddress="10.0.0.43" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="49" PackageName="Client Applications" PackageVersion="V13.5 (P1007499-002)" PackageID="ec47a4b7-b60c-4084-b212-f66f88ba1e33" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine44" IPAddress="10.0.0.44" Status="NoCommunication" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="50" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="InProgress" StatusMessage="TimeLogger38: Extracting files" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine45" IPAddress="10.0.0.45" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc02">
      <Tasks>
        <Task TaskSer="51" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine46" IPAddress="10.0.0.46" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="52" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Fail" StatusMessage="TimeLogger2: Failed to transfer files to agent, due to insufficient disk space" IsCancelled="false" IsDeleted="false">
          <Steps>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB299ED33" Name="TimeLogger1" Status="Pass" StepSer="3800" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290ED33" Name="TimeLogger2" Status="Fail" StepSer="3801">
              <Logs />
            </Step>
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD33" Name="TimeLogger3" Status="NotStarted" StepSer="3802" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD34" Name="TimeLogger4" Status="NotStarted" StepSer="3803" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD35" Name="TimeLogger5" Status="NotStarted" StepSer="3804" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD36" Name="TimeLogger6" Status="NotStarted" StepSer="3805" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD37" Name="TimeLogger7" Status="NotStarted" StepSer="3806" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD38" Name="TimeLogger8" Status="NotStarted" StepSer="3807" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD39" Name="TimeLogger9" Status="NotStarted" StepSer="3808" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD40" Name="TimeLogger10" Status="NotStarted" StepSer="3810" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD41" Name="TimeLogger11" Status="NotStarted" StepSer="3811" />
            <Step ID="A95F58E1-F040-47DC-8C4E-871DB290AD42" Name="TimeLogger12" Status="NotStarted" StepSer="3812" />
          </Steps>
        </Task>
      </Tasks>
    </TargetMachine>
    <TargetMachine Name="Demo_Machine47" IPAddress="10.0.0.47" Status="Running" StatusMessage="" IsManuallyInstalled="true" Location="lc03">
      <Tasks>
        <Task TaskSer="53" PackageName="Sample Task New" PackageVersion="2.0.0.0" PackageID="ID_Sample_EXE_Success_New" Status="Pass" StatusMessage="Successfully completed package deployment" IsCancelled="false" IsDeleted="false" />
      </Tasks>
    </TargetMachine>
  </TargetMachines>
</RSDReport>

Now I want to make a chart of the step names which have their status as failed.

Note: I have made my complete file as one event and I am trying to use the search below, but no success!

...| spath output="branchRegion" path="Report.Details.Region" | search branchRegion="*"  | spath output="StepName" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Name}" | spath output="StepStatus" path="Report.TargetMachines.TargetMachine.Tasks.Task.Steps.Step{@Status}" | search StepStatus=Fail | stats count by StepName

Thanks in advance

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 10:26 AM

Start out small and add to your query until you find the source of the error. Begin with ...| spath output="branchRegion" path="RSDReport.Details.Region" and verify the results before adding the next part of the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 10:49 AM

I tried the same. but no success!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-24-2015 08:18 AM

Which part of your query is failing?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2015 06:43 AM

I'm not very familiar with spath, but it seems the top level of the path argument should be 'RSDReport' rather than 'Report'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:03 AM

Its a spelling mistake while posting question I have used RSDReport only.

0 Karma
Reply

justgovind30198
Explorer
‎07-23-2015 09:00 AM

sorry for the wrong query actually it is RSDReport. only. but still its not working

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...