topic not work transforms in Getting Data In

not work transforms

klychnikov — Mon, 10 Dec 2012 12:40:46 GMT

Based on config files(please see below) we transform file from .xml format to .csv.
After the log been converted we see that all the messages written as one large event.
We would like to have one event per csv’s string with the fields from transforms.conf.

> inputs.conf
> [monitor:\\SPLUNK0\C$\test\1]
> index = kasper
> _whitelist = .*\.xml
> 
> props.conf  [source::...kasper*.xml]
> TRUNCATE =  0 
> SEDCMD-1 = s/(?m)(^.*?</Worksheet>)//g ###clean the garbage
> SEDCMD-2 = s/(?m)(<W\w*\s\w*\SN\w*[="]+M\w*.*>$)//g ####clean the garbage
> SEDCMD-3 = s/(?m)(</R\w*>)/\n/g ###transfer the event to a new line
> SEDCMD-4 = s/(?m)(</D\w*>)/;/g ### set separators
> SEDCMD-5 = s/(?m)(<[^>]*>)//g ### delete tags
> sourcetype = csv_kasper  
> CHECK_FOR_HEADER = false
> priority = 101

> transforms.conf
> [csv_kasper]
> DELIMS=";"
> FIELDS="Status","V-host","Group","Computer","LastData","description","IP","Alive","Domain","NetBIOS","DomainName","DNS"
> 

> Критический;;0_test;BD00;7 ноября 2012 г. 15:17:23;Не установлен Антивирус Касперского. ;10.54.44.68;7 ноября 2012 г. 15:17:23;dom;BD00;bd00;dom;
> Критический;;0_test;BD00;16 ноября 2012 г. 12:01:16;Давно не выполнялся поиск вирусов. ;10.54.45.26;16 ноября 2012 г. 12:01:16;dom;BD00;bd00;dom;
> Критический;;0_test;BEOVA;16 ноября 2012 г. 11:58:35;Давно не выполнялся поиск вирусов. ;10.54.44.70;16 ноября 2012 г. 12:06:28;dom;BEZULOVA;beova;dom;
> Критический;;0_test;BRCH11;16 ноября 2012 г. 11:55:25;Давно не выполнялся поиск вирусов. ;10.54.42.71;16 ноября 2012 г. 11:55:25;dom;BRONICH11;brich11;dom;

Re: not work transforms

klychnikov — Thu, 13 Dec 2012 08:41:50 GMT

As I understand it is no support! Ask not for the first question and assistance to the no!

Re: not work transforms

Drainy — Thu, 13 Dec 2012 08:46:29 GMT

Just in terms of "making your life easy", I would be tempted to write a python script that handles the conversion of XML to CSV and then get Splunk to read in the CSV, that will be relatively simple. Maintaining and using the config above could become an effort over time.

Otherwise, sed isn't my area of specialty sorry 🙂 But I always take the view that I should try and help Splunk out as much as I can to simplify configs and avoid performance hits (if you're indexing a lot)

Re: not work transforms

Drainy — Thu, 13 Dec 2012 08:47:09 GMT

What now? If you're saying theres no support you just need to give it time, its a community site so it sometimes takes a while to get an answer

Re: not work transforms

klychnikov — Thu, 13 Dec 2012 09:04:00 GMT

Frankly this is not the answer. Ask about a particular situation. Enough time has passed, the last on a week.

Re: not work transforms

Drainy — Thu, 13 Dec 2012 09:20:05 GMT

Well I understood the first part, it may not point out the error but it offers a workaround. The second part, what?

Re: not work transforms

klychnikov — Thu, 13 Dec 2012 09:24:08 GMT

All events brings in one event. I would like to a breakdown of the items on the events