I am trying to make key=value pair for the below data and I am lost on where I am going wrong..
6/26/15 10:26 AM,abcdefg.com:CRDMS,Oracle Database Server,DB Role (Oracle) Assignment report,Query Rule,Query=DB Role assignment query,"<?xml version=""1.0"" encoding=""UTF-8"" ?> <ResultSetData> <Row> <Column name=""Server Name"">abc.abc</Column> <Column name=""Database Name"">CRDMS</Column> <Column name=""Role Name"">PCI_READ_IARD</Column> <Column name=""Role Grantee"">SYS</Column> <Column name=""Server NetBIOS Name"">abc.abc</Column> </Row>
What I plan to do is to make KEY=VALUE pairs for all the name’s with their corresponding values. Example.. “Server Name” = abc.abc , Database Name=CRDMS etc.
[test] TRANSFORMS-ext = ext_column_values TRUNCATE=100000
[ext_column_values] REGEX = ^\s+\<Column\s+name\=\"\"([^\"]+)\"\"\>([^\<]+)\< FORMAT = $1::$2 #MV_ADD = true #WRITE_META = true SOURCE_KEY = _raw
But it doesn’t seem to work. Not sure where I am doing wrong. Any ideas?
It all looks good to me except that you definitely need
MV_ADD=true so remove the comment character on that line, the RegEx might be better as explicitly multiline:
REGEX = (?m)^\s+\<Column\s+name\=\"\"([^\"]+)\"\"\>([^\<]+)\< MV_ADD = true
sourcetype for the events that you would like to exploit called
test? If not, you need to change your stanza header in
[yourSourceType] before it will all be connected together. Also, you may have a permission problem depending on where you have placed the
transforms.conf files. You might try setting the permissions to
Global to test if this is the problem.