https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174180#M35060 <P>I have a file of XML-like events that look like this:</P> <PRE> &lt;Event Field1=foo Field2=bar Field3=baz &gt; &lt;Data Field4=whz Field5=zip Field3=floo/&gt; &lt;/Event&gt; </PRE> <P>Both the Event line and the Data line have a field named Field3, and they are automatically extracted as the same field in the search. Is there a way to prepend the first tag (i.e. either Event or Data) to the Field3 name so Splunk can tell they're distinct? Prepending Event or Data to all the field names would also work.</P> <P>In props.conf:<BR /> <PRE><BR /> [xml_sample]<BR /> SHOULD_LINEMERGE = true<BR /> DATETIME_CONFIG = NONE<BR /> BREAK_ONLY_BEFORE_DATE = false<BR /> BREAK_ONLY_BEFORE =]&gt;<BR /> MUST_BREAK_AFTER = <BR /> </PRE></P> Mon, 28 Sep 2020 18:34:37 GMT cphair 2020-09-28T18:34:37Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174180#M35060 <P>I have a file of XML-like events that look like this:</P> <PRE> &lt;Event Field1=foo Field2=bar Field3=baz &gt; &lt;Data Field4=whz Field5=zip Field3=floo/&gt; &lt;/Event&gt; </PRE> <P>Both the Event line and the Data line have a field named Field3, and they are automatically extracted as the same field in the search. Is there a way to prepend the first tag (i.e. either Event or Data) to the Field3 name so Splunk can tell they're distinct? Prepending Event or Data to all the field names would also work.</P> <P>In props.conf:<BR /> <PRE><BR /> [xml_sample]<BR /> SHOULD_LINEMERGE = true<BR /> DATETIME_CONFIG = NONE<BR /> BREAK_ONLY_BEFORE_DATE = false<BR /> BREAK_ONLY_BEFORE =]&gt;<BR /> MUST_BREAK_AFTER = <BR /> </PRE></P> Mon, 28 Sep 2020 18:34:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174180#M35060 cphair 2020-09-28T18:34:37Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174181#M35061 <P>I would disable the automatic key-value extractions with <STRONG>KV_MODE = none</STRONG> and then define your own regex based extractions which use the element names, "Event" and "Data" for example as anchors. If you don't know how to set up regex extractions in the config files, the interactive field extractor tool might help you at least get close to the regex you need if not the exact regex you need, depending on your data and how it responds to you removing the values it gets wrong, presuming it selects incorrect fields from other XML elements.</P> Tue, 06 Jan 2015 19:00:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174181#M35061 chanfoli 2015-01-06T19:00:36Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174182#M35062 <P>I was hoping there was an easier way, but I guess this'll work. Thanks.</P> Wed, 07 Jan 2015 13:14:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174182#M35062 cphair 2015-01-07T13:14:39Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174183#M35063 <P>If its during search time, you can either use the mode=sed with a regular expression</P> <P>For e.g.</P> <P>| rex mode=sed "s///g"</P> <P>OR I would use sedcmd in props.conf</P> <P>SEDCMD-change_field = s///g</P> Wed, 07 Jan 2015 13:34:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174183#M35063 gabetheISguy 2015-01-07T13:34:08Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174184#M35064 <P>Regexing from the search interface isn't convenient when you have to do it for every search. SEDCMD replaces the raw data, and I just want to update the field names.</P> Wed, 07 Jan 2015 14:04:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-rename-xml-fields-in-props-conf/m-p/174184#M35064 cphair 2015-01-07T14:04:35Z