Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index specific tag from XML

michaelrosello
Path Finder
‎05-29-2018 07:33 PM

I'm trying to index only a few fields from my XML Data but I cannot make it work using props and transform

Here is my sample xml data. 

<ase:aseXML xmlns:ase="urn:aseXML:r36" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:aseXML:r36 http://www.nemmco.com.au/asexml/schemas/r36/aseXML_r36.xsd">;
   <Header>
      <From>EEE</From>
      <To>EEQ</To>
      <MessageID>-MSG-62350571</MessageID>
      <MessageDate>2018-05-28T11:48:58.865+10:00</MessageDate>
      <TransactionGroup>OWNX</TransactionGroup>
      <Priority>Medium</Priority>
      <SecurityContext>EGG</SecurityContext>
      <Market>NEM</Market>
   </Header>
   <Transactions>
      <Transaction transactionDate="2018-05-28T11:48:52.029+10:00" transactionID="ERGONETP-TNS-222754923">
         <MeterFaultAndIssueNotification version="r36">
            <NMI checksum="4">3053066985</NMI>
            <DateIdentified>2018-05-28</DateIdentified>
            <SupplyOn>Yes</SupplyOn>
            <ReasonForNotice>Other</ReasonForNotice>
            <Notes>NOTES.</Notes>
         </MeterFaultAndIssueNotification>
      </Transaction>
   </Transactions>
</ase:aseXML>

I only need to index this fields 

     <MessageID>-MSG-62350571</MessageID>
           <MessageDate>2018-05-28T11:48:58.865+10:00</MessageDate>
           <TransactionGroup>OWNX</TransactionGroup>

and here is my props and transform

props.conf
[msatt]
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
TRUNCATE = 0
disabled = false
MAX_EVENTS = 5000
TRANSFORMS-set-nullqueue=set_index,set_nullqueue

transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[set_index]
REGEX = <MessageID>(?<MessageID>.*)<\/MessageID>\s+<MessageDate>(?<MessageDate>.*)<\/MessageDate>\s+<TransactionGroup>(?<TransactionGroup>.*)\/TransactionGroup>
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

niketn
Legend
‎05-29-2018 10:15 PM

@michaelrosello, from the sample XML data, which nodes you want to drop and what do you need to retain?

Do you want to index only transactions i.e. <Transactions>....</Transactions>?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

michaelrosello
Path Finder
‎05-29-2018 10:17 PM

ohhh. sorry forgot to add what i want to index.

I want to index only this three values.

-MSG-62350571
2018-05-28T11:48:58.865+10:00OWNX

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...