https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147308#M30002 <P>I tried it and it still doesn't work. Kinda strange. I am applying them on the indexer and doing a oneshot on it for now.</P> Wed, 29 Jul 2015 18:36:21 GMT theouhuios 2015-07-29T18:36:21Z https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147306#M30000 <P>Hello</P> <P>I am trying to make key=value pair for the below data and I am lost on where I am going wrong..</P> <PRE><CODE>6/26/15 10:26 AM,abcdefg.com:CRDMS,Oracle Database Server,DB Role (Oracle) Assignment report,Query Rule,Query=DB Role assignment query,"&lt;?xml version=""1.0"" encoding=""UTF-8"" ?&gt; &lt;ResultSetData&gt; &lt;Row&gt; &lt;Column name=""Server Name""&gt;abc.abc&lt;/Column&gt; &lt;Column name=""Database Name""&gt;CRDMS&lt;/Column&gt; &lt;Column name=""Role Name""&gt;PCI_READ_IARD&lt;/Column&gt; &lt;Column name=""Role Grantee""&gt;SYS&lt;/Column&gt; &lt;Column name=""Server NetBIOS Name""&gt;abc.abc&lt;/Column&gt; &lt;/Row&gt; </CODE></PRE> <P>What I plan to do is to make KEY=VALUE pairs for all the name’s with their corresponding values. Example.. “Server Name” = abc.abc , Database Name=CRDMS etc.</P> <P>Props.conf:</P> <PRE><CODE>[test] TRANSFORMS-ext = ext_column_values TRUNCATE=100000 </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE>[ext_column_values] REGEX = ^\s+\&lt;Column\s+name\=\"\"([^\"]+)\"\"\&gt;([^\&lt;]+)\&lt; FORMAT = $1::$2 #MV_ADD = true #WRITE_META = true SOURCE_KEY = _raw </CODE></PRE> <P>But it doesn’t seem to work. Not sure where I am doing wrong. Any ideas?</P> Wed, 29 Jul 2015 18:12:14 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147306#M30000 theouhuios 2015-07-29T18:12:14Z https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147307#M30001 <P>It all looks good to me except that you definitely need <CODE>MV_ADD=true</CODE> so remove the comment character on that line, the RegEx might be better as explicitly multiline:</P> <PRE><CODE>REGEX = (?m)^\s+\&lt;Column\s+name\=\"\"([^\"]+)\"\"\&gt;([^\&lt;]+)\&lt; MV_ADD = true </CODE></PRE> Wed, 29 Jul 2015 18:17:51 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147307#M30001 woodcock 2015-07-29T18:17:51Z https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147308#M30002 <P>I tried it and it still doesn't work. Kinda strange. I am applying them on the indexer and doing a oneshot on it for now.</P> Wed, 29 Jul 2015 18:36:21 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147308#M30002 theouhuios 2015-07-29T18:36:21Z https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147309#M30003 <P>Is the <CODE>sourcetype</CODE> for the events that you would like to exploit called <CODE>test</CODE>? If not, you need to change your stanza header in <CODE>props.conf</CODE> from <CODE>[test]</CODE> to <CODE>[yourSourceType]</CODE> before it will all be connected together. Also, you may have a permission problem depending on where you have placed the <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> files. You might try setting the permissions to <CODE>Global</CODE> to test if this is the problem.</P> Wed, 29 Jul 2015 20:11:28 GMT https://community.splunk.com/t5/Getting-Data-In/Make-Key-Value-fields-from-raw-data-during-indextime/m-p/147309#M30003 woodcock 2015-07-29T20:11:28Z