I have one xml file
I want to extract the fields/values IN BETWEEN and and throw away any of the lines before the very first and after the very last .
(In XML, the fields/values are located on each line in the form value)
4. Use the date in the ActionDate field and the time in the ActionTime field as the timestamp.
<Interceptor> <AttackCoords>-423423445345345.10742916222947</AttackCoords> <Outcome>Inteccccn</Outcome> <Infiltrators>20</Infiltrators> <Enforcer>Iwildwood</Enforcer> <ActionDate>2013-04-24</ActionDate> <ActionTime>00:07:00</ActionTime> <RecordNotes></RecordNotes> <NumEscaped>0</NumEscaped> <LaunchCoords>-80.23429525620114,24.08680387475695</LaunchCoords> <AttackVessel>local</AttackVessel> </Interceptor>
below is my props.conf and transforms.conf
NO_BINARY_CHECK = true
category = Custom
disabled = false
pulldown_type = true
PREAMBLE_REGEX = ^<\S+.*
REPORT-dream = dream
REGEX = ^<(.*?)>(\S+)<
when i check the events there are no search time extraction
You didn’t say in between what...
Have you tried the xmlkv command? How about xpath or spath? See these links on how to use those:
props.conf on the universal forwarder
or if you want to extract the fields automatically at search time use KV_MODE instead of INDEXED_EXTRACTIONS. INDEXED_EXTRACTIONS actually index the fields which takes more disk space but it makes all the fields available to tstats searches. On a small data source it can be great, on a large data source it can cause more problems than its worth.
Also note that INDEXED_EXTRACTIONS occur on the first splunk that sees the data (typically a forwarder, maybe your laptop in this case)