So I've been reading around and most people point to xpath, but after hours of troubleshooting I can't seem to get it to work in my scenario. I'm trying to extract **decision** and **reasoncode** as fields and report on them, but I just can't seem to get Splunk to recognize them in all of the outputs.
So far I have this search working to report all failures (kind of). But I'm hoping for something better.
Sample Search:
host=relevanthost "" "" NOT "ACCEPT "
|xmlkv |timechart count by c:reasonCode limit=25
Sample Code:
[2016-05-timestampstuff] [HOSTNAME] [NOTIFICATION] [numbers] [oracle.router.stuff] [tid: [ACTIVE].ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: fakenumbersandlettersecid] [oracle.soa.tracking.FlowId: 000000000] [oracle.soa.tracking.InstanceId: 000000000] [oracle.soa.tracking.SCAEntityId: 00000] [FlowId:fakenumbersandletters] [[
[OSB Tracing] Entering pipeline pair Process Request with message context:
[MessageContextImpl uid="fakeuidlettersandnumbers"
body="0000000000 0000000000000000000000 ACCEPT 100 faketokenlettersandnumbers USD 100 99.99 000000 X A3 S S
↧