Archive

To monitor a file directory via forwarder

chimbudp
Contributor

1.I have configured inputs.conf to monitor c:\windows\assembly folder in windows Server
2.I am using [fschange = folder path] to monitor asseblies
3.I am getting into Splunk
4.But, i am getting data in the format of XML , no fields are deducted by Splunk automatic indexing
i have set source type to assembly
5.I need to view fields like version, date created , date modified, oldVersion, newVersion.

  • Do i need to configure anything other than this , to get proper data ?
  • Please help
Tags (1)
0 Karma
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

There are examples here on how to use the spath command to extract XML KV pairs at search time:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Spath

My preferred method for parsing XML is to use props.conf KV_MODE, as it provides a tree view and autoextraction of all your XML fields:

PROPS.CONF:
[assembly]
KV_MODE = xml

Docs are here:
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Propsconf

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

There are examples here on how to use the spath command to extract XML KV pairs at search time:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Spath

My preferred method for parsing XML is to use props.conf KV_MODE, as it provides a tree view and autoextraction of all your XML fields:

PROPS.CONF:
[assembly]
KV_MODE = xml

Docs are here:
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Propsconf

View solution in original post