Anyone? The documentation is pretty basic with it's examples. I can't find many examples with simple explanations on the forums.
The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkReporting: Help with creating report from XML feed
Previous Topic: Double clicking on report graph to get search results | Next Topic: XMLKV reporting is not recursive.
Posts 1–2 of 2
Hi all,
We're using Splunk to audit a REST data feed we have. This data feed sends information from a satellite network to providers, so ensuring we're receiving messages from the satellite is very important. I've modified the web ping app to consume the REST server and dump the XML in to splunk.
We want to do the following.
1. For each user (username field) remove duplicate AcPos xml output as there is a time overlap between queried
2. After duplicate AcPos xml elements have been eliminated, create a list of all esn numbers and delta between dataCtrDateTime and dateTime
3. Display a graph of the delta between dataCtrDateTime and dateTime that we can click on and get the username field as well as the esn number
4. I created a custom index just for this feed named "affdata"
I'm new to Splunk and this seems quite advanced, can someone give me a hand getting started on this?
Thanks,
Todd
Here are 2 examples of the raw data that is returned.
2:07:31.000 PM
AFFFeedAudit
ping_name = AFF:Foo
ping_url = https://aff.foo.com/DataQuery
username = affserviceuser
time_in_ms = 819
size_in_bytes = 2376
status_code = 200
contents =
<?xml version="1.0" encoding="utf-8"?>
<data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" sysID="Foo" rptTime="2009-08-18T02:07:29.072375Z" version="2.23" xmlns="https://www.aff.gov/affSchema">
<msgList />
<posList>
<acPos esn="300034012177820" UnitID="300034012177820" source="GPS" fix="3D" HDOP="11" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:03:10.51Z" dateTime="2009-08-18T02:03:00Z">
<Lat>61.293825</Lat>
<Long>-139.552636666667</Long>
<altitude units="meters msl">1535</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">28</heading>
</acPos>
<acPos esn="300034012246100" UnitID="300034012246100" source="GPS" fix="3D" HDOP="0" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:03:41.183Z" dateTime="2009-08-18T02:03:30Z">
<Lat>-40.354893333333</Lat>
<Long>175.6119</Long>
<altitude units="meters msl">34</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">143</heading>
</acPos>
<acPos esn="300034012177820" UnitID="300034012177820" source="GPS" fix="3D" HDOP="13" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:05:35.697Z" dateTime="2009-08-18T02:05:00Z">
<Lat>61.261345</Lat>
<Long>-139.552566666667</Long>
<altitude units="meters msl">1710</altitude>
<speed units="meters/sec">88</speed>
<heading units="North-True">156</heading>
</acPos>
<acPos esn="300034012246100" UnitID="300034012246100" source="GPS" fix="3D" HDOP="0" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:05:41.667Z" dateTime="2009-08-18T02:05:30Z">
<Lat>-40.354901666667</Lat>
<Long>175.611895</Long>
<altitude units="meters msl">32</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">144</heading>
</acPos>
<acPos esn="300034012177820" UnitID="300034012177820" source="GPS" fix="3D" HDOP="12" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:07:11.183Z" dateTime="2009-08-18T02:07:00Z">
<Lat>61.221078333333</Lat>
<Long>-139.483968333333</Long>
<altitude units="meters msl">1784</altitude>
<speed units="meters/sec">94</speed>
<heading units="North-True">139</heading>
</acPos>
</posList>
</data>
AFFFeedAudit
8/18/09 2:06:32.000 PM
AFFFeedAudit
ping_name = AFF:Foo
ping_url = https://aff.foo.com/DataQuery
username = affserviceuser
time_in_ms = 1385
size_in_bytes = 2358
status_code = 200
contents =
<?xml version="1.0" encoding="utf-8"?>
<data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" sysID="Foo" rptTime="2009-08-18T02:06:29.74425Z" version="2.23" xmlns="https://www.aff.gov/affSchema">
<msgList />
<posList>
<acPos esn="300034012246100" UnitID="300034012246100" source="GPS" fix="3D" HDOP="0" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:01:39.337Z" dateTime="2009-08-18T02:01:30Z">
<Lat>-40.354895</Lat>
<Long>175.61189</Long>
<altitude units="meters msl">30</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">104</heading>
</acPos>
<acPos esn="300034012177820" UnitID="300034012177820" source="GPS" fix="3D" HDOP="11" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:03:10.51Z" dateTime="2009-08-18T02:03:00Z">
<Lat>61.293825</Lat>
<Long>-139.552636666667</Long>
<altitude units="meters msl">1535</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">28</heading>
</acPos>
<acPos esn="300034012246100" UnitID="300034012246100" source="GPS" fix="3D" HDOP="0" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:03:41.183Z" dateTime="2009-08-18T02:03:30Z">
<Lat>-40.354893333333</Lat>
<Long>175.6119</Long>
<altitude units="meters msl">34</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">143</heading>
</acPos>
<acPos esn="300034012177820" UnitID="300034012177820" source="GPS" fix="3D" HDOP="13" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:05:35.697Z" dateTime="2009-08-18T02:05:00Z">
<Lat>61.261345</Lat>
<Long>-139.552566666667</Long>
<altitude units="meters msl">1710</altitude>
<speed units="meters/sec">88</speed>
<heading units="North-True">156</heading>
</acPos>
<acPos esn="300034012246100" UnitID="300034012246100" source="GPS" fix="3D" HDOP="0" dataCtr="Foo" dataCtrDateTime="2009-08-18T02:05:41.667Z" dateTime="2009-08-18T02:05:30Z">
<Lat>-40.354901666667</Lat>
<Long>175.611895</Long>
<altitude units="meters msl">32</altitude>
<speed units="meters/sec">0</speed>
<heading units="North-True">144</heading>
</acPos>
</posList>
</data>
AFFFeedAudit