Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Make Key=Value fields from _raw data during indextime

theouhuios
Motivator
‎07-29-2015 11:12 AM

Hello

I am trying to make key=value pair for the below data and I am lost on where I am going wrong..

6/26/15 10:26 AM,abcdefg.com:CRDMS,Oracle Database Server,DB Role (Oracle) Assignment report,Query Rule,Query=DB Role assignment query,"<?xml version=""1.0"" encoding=""UTF-8"" ?>
<ResultSetData>
  <Row>
    <Column name=""Server Name"">abc.abc</Column>
    <Column name=""Database Name"">CRDMS</Column>
    <Column name=""Role Name"">PCI_READ_IARD</Column>
    <Column name=""Role Grantee"">SYS</Column>
    <Column name=""Server NetBIOS Name"">abc.abc</Column>
  </Row>

What I plan to do is to make KEY=VALUE pairs for all the name’s with their corresponding values. Example.. “Server Name” = abc.abc , Database Name=CRDMS etc.

Props.conf:

[test]
TRANSFORMS-ext = ext_column_values
TRUNCATE=100000

Transforms.conf

[ext_column_values]
REGEX = ^\s+\<Column\s+name\=\"\"([^\"]+)\"\"\>([^\<]+)\<
FORMAT = $1::$2
#MV_ADD = true
#WRITE_META = true
SOURCE_KEY = _raw

But it doesn’t seem to work. Not sure where I am doing wrong. Any ideas?

0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2015 11:17 AM

It all looks good to me except that you definitely need MV_ADD=true so remove the comment character on that line, the RegEx might be better as explicitly multiline:

REGEX = (?m)^\s+\<Column\s+name\=\"\"([^\"]+)\"\"\>([^\<]+)\<
MV_ADD = true
0 Karma
Reply

theouhuios
Motivator
‎07-29-2015 11:36 AM

I tried it and it still doesn't work. Kinda strange. I am applying them on the indexer and doing a oneshot on it for now.

0 Karma
Reply

woodcock
Esteemed Legend
‎07-29-2015 01:11 PM

Is the sourcetype for the events that you would like to exploit called test? If not, you need to change your stanza header in props.conf from [test] to [yourSourceType] before it will all be connected together. Also, you may have a permission problem depending on where you have placed the props.conf and transforms.conf files. You might try setting the permissions to Global to test if this is the problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...