<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Index specific tag from XML in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430668#M75378</link>
    <description>&lt;P&gt;ohhh. sorry forgot to add what i want to index.&lt;/P&gt;

&lt;P&gt;I want to index only this three values.&lt;/P&gt;

&lt;P&gt;-MSG-62350571&lt;BR /&gt;
2018-05-28T11:48:58.865+10:00OWNX&lt;/P&gt;</description>
    <pubDate>Wed, 30 May 2018 05:17:47 GMT</pubDate>
    <dc:creator>michaelrosello</dc:creator>
    <dc:date>2018-05-30T05:17:47Z</dc:date>
    <item>
      <title>Index specific tag from XML</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430666#M75376</link>
      <description>&lt;P&gt;I'm trying to index only a few fields from my XML Data but I cannot make it work using props and transform&lt;/P&gt;

&lt;P&gt;Here is my sample xml data. &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;&amp;lt;ase:aseXML xmlns:ase="urn:aseXML:r36" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:aseXML:r36 &lt;A href="http://www.nemmco.com.au/asexml/schemas/r36/aseXML_r36.xsd&amp;quot;&amp;gt;" target="test_blank"&gt;http://www.nemmco.com.au/asexml/schemas/r36/aseXML_r36.xsd"&amp;gt;&lt;/A&gt;;
   &amp;lt;Header&amp;gt;
      &amp;lt;From&amp;gt;EEE&amp;lt;/From&amp;gt;
      &amp;lt;To&amp;gt;EEQ&amp;lt;/To&amp;gt;
      &amp;lt;MessageID&amp;gt;-MSG-62350571&amp;lt;/MessageID&amp;gt;
      &amp;lt;MessageDate&amp;gt;2018-05-28T11:48:58.865+10:00&amp;lt;/MessageDate&amp;gt;
      &amp;lt;TransactionGroup&amp;gt;OWNX&amp;lt;/TransactionGroup&amp;gt;
      &amp;lt;Priority&amp;gt;Medium&amp;lt;/Priority&amp;gt;
      &amp;lt;SecurityContext&amp;gt;EGG&amp;lt;/SecurityContext&amp;gt;
      &amp;lt;Market&amp;gt;NEM&amp;lt;/Market&amp;gt;
   &amp;lt;/Header&amp;gt;
   &amp;lt;Transactions&amp;gt;
      &amp;lt;Transaction transactionDate="2018-05-28T11:48:52.029+10:00" transactionID="ERGONETP-TNS-222754923"&amp;gt;
         &amp;lt;MeterFaultAndIssueNotification version="r36"&amp;gt;
            &amp;lt;NMI checksum="4"&amp;gt;3053066985&amp;lt;/NMI&amp;gt;
            &amp;lt;DateIdentified&amp;gt;2018-05-28&amp;lt;/DateIdentified&amp;gt;
            &amp;lt;SupplyOn&amp;gt;Yes&amp;lt;/SupplyOn&amp;gt;
            &amp;lt;ReasonForNotice&amp;gt;Other&amp;lt;/ReasonForNotice&amp;gt;
            &amp;lt;Notes&amp;gt;NOTES.&amp;lt;/Notes&amp;gt;
         &amp;lt;/MeterFaultAndIssueNotification&amp;gt;
      &amp;lt;/Transaction&amp;gt;
   &amp;lt;/Transactions&amp;gt;
&amp;lt;/ase:aseXML&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I only need to index this fields &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;     &amp;lt;MessageID&amp;gt;-MSG-62350571&amp;lt;/MessageID&amp;gt;
           &amp;lt;MessageDate&amp;gt;2018-05-28T11:48:58.865+10:00&amp;lt;/MessageDate&amp;gt;
           &amp;lt;TransactionGroup&amp;gt;OWNX&amp;lt;/TransactionGroup&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;and here is my props and transform&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;props.conf
[msatt]
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
TRUNCATE = 0
disabled = false
MAX_EVENTS = 5000
TRANSFORMS-set-nullqueue=set_index,set_nullqueue

transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[set_index]
REGEX = &amp;lt;MessageID&amp;gt;(?&amp;lt;MessageID&amp;gt;.*)&amp;lt;\/MessageID&amp;gt;\s+&amp;lt;MessageDate&amp;gt;(?&amp;lt;MessageDate&amp;gt;.*)&amp;lt;\/MessageDate&amp;gt;\s+&amp;lt;TransactionGroup&amp;gt;(?&amp;lt;TransactionGroup&amp;gt;.*)\/TransactionGroup&amp;gt;
DEST_KEY = queue
FORMAT = indexQueue
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 30 May 2018 02:33:45 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430666#M75376</guid>
      <dc:creator>michaelrosello</dc:creator>
      <dc:date>2018-05-30T02:33:45Z</dc:date>
    </item>
    <item>
      <title>Re: Index specific tag from XML</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430667#M75377</link>
      <description>&lt;P&gt;@michaelrosello, from the sample XML data, which nodes you want to drop and what do you need to retain?&lt;/P&gt;

&lt;P&gt;Do you want to index only transactions i.e. &lt;CODE&gt;&amp;lt;Transactions&amp;gt;....&amp;lt;/Transactions&amp;gt;&lt;/CODE&gt;?&lt;/P&gt;</description>
      <pubDate>Wed, 30 May 2018 05:15:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430667#M75377</guid>
      <dc:creator>niketn</dc:creator>
      <dc:date>2018-05-30T05:15:23Z</dc:date>
    </item>
    <item>
      <title>Re: Index specific tag from XML</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430668#M75378</link>
      <description>&lt;P&gt;ohhh. sorry forgot to add what i want to index.&lt;/P&gt;

&lt;P&gt;I want to index only this three values.&lt;/P&gt;

&lt;P&gt;-MSG-62350571&lt;BR /&gt;
2018-05-28T11:48:58.865+10:00OWNX&lt;/P&gt;</description>
      <pubDate>Wed, 30 May 2018 05:17:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Index-specific-tag-from-XML/m-p/430668#M75378</guid>
      <dc:creator>michaelrosello</dc:creator>
      <dc:date>2018-05-30T05:17:47Z</dc:date>
    </item>
  </channel>
</rss>

