Implement Generic Indexer for XML File With Repeat...

moneybox · ‎12-22-2013

Hi,
I'm using splunk for few weeks and its seems really great but recently i had some issue with one of the needs in a new project.

My target is to perform indexing and searching by tag inside XML Files within the following format

value
value
value
xxxxz
ceijciejci

I have no idea what will be the inner fields and how deep will they go.

a success would be for me a way to index everything by key-Value so i could search any of the keys and get all matching object with proper value within them.

my senses tells me i need to write some generic regex for this so thats what i did:

LINE_BREAKER=(<FileItem>.*?/) ### Object Bounderis

REGEX = <(?<_KEY_1>.+?)>(?<_VAL_1>.+?)<\/.+?> ### Generic Key-Value Indexer

its working really nice but there is one issue.
when i have 2 duplicate key with the same name and different value its seems like splunk takes only the first one of them [for example if i search Blabla=xxxxz it wont return any results]

is there any way to do it better and solve my issue?

Thanks.
:)

moneybox · ‎12-23-2013

Thanks Alot!~!

gkanapathy · ‎12-23-2013

You can just add the key

MV_ADD = true

to your transforms extraction. That will turn a field with multiple values into a multi-valued field.

moneybox · ‎12-23-2013

Thanks :)))

Implement Generic Indexer for XML File With Repeating Key Names

I have no idea what will be the inner fields and how deep will they go.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?