- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need help with props.conf and transforms.conf for ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help with props.conf and transforms.conf for an XML file
Hi,
I am indexing a set of XML files from an S3 bucket, and having troubles getting my config set up correctly.
The XML structure looks like (though it actually has no line-breaks in it);
<messages id="d546d3d0-9160-49d9-8b3e-ee68f19f46f1" message-group="17ffeaca-2384-47ed-b6a3-3d9e77598a7f" sent="2016-01-01T11:11:28.530Z">
<company id="8305307a-4690-4f30-a52d-21855b9c0a0d" name="MyCompany"/>
<application id="fa8c1d06-7d28-4263-a4f9-7bdcc8f51f58" name="MyProduct" version="1.1.0.10" />
<feature id="68c7ff1a-1b61-4c0e-bdc6-74dd6e8ce996" generated="2016-01-01T11:10:55.179Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f" name="Feature1">
<property name="aProperty1" value="aValue1"/>
<property name="aProperty2" value="aValue2"/>
</feature>
<feature id="77de669e-9f9a-4116-8192-048d34e50de9" generated="2016-01-01T11:11:10.371Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f" name="Feature2">
<property name="aProperty1" value="aValue3"/>
<property name="aProperty2" value="aValue4"/>
<property name="aProperty3" value="aValue5"/>
</feature>
<session-stop generated="2016-01-01T11:11:28.327Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f">
<binary id="00000000-0000-0000-0000-000000000000" modified="2015-09-15T19:03:04.000" name="MyDll" version="1.1.0.11"/>
</session-stop>
<app-stop id="9b2438e6-2330-4cfe-9dcb-d5e5c51b111a" generated="2016-01-01T11:11:28.515Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f">
<binary id="00000000-0000-0000-0000-000000000000" modified="2015-09-15T19:03:04.000" name="MyDll" version="1.1.0.11"/>
<user name="fdd3ce461229bb82a7a79f927480d104" admin="false"/>
</app-stop>
</messages>
My props.conf looks like;
[aws:s3:win-analytics]
KV_MODE = xml
LINE_BREAKER = [\>\s]((?=(\<feature|\<session-stop|\<session-start|\<app-start|\<app-stop)\s+[^\>]*\>))
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
disabled = false
TIME_PREFIX=generated
Any my current transforms.conf looks like;
[aws:s3:win-analytics]
REGEX = \<property name="([^\"]+)" value="([^\"]+)"\/\>
FORMAT = $1::$2
Essentially, the XML file consists of events which are represented as any of these blocks;
feature
app-stop
app-start
app-stop
session-stop
I am having some success with my props.conf, though I'm not sure if it's breaking down events correctly, I get alot of nested fields indexed by Splunk.
However, I'm having no success with my transforms.conf
What I want is for an event to not include properties like
feature.property{@name}="aProperty1" feature.property{@value}="aValue1"`
but have fields like;
aProperty1=aValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I may have realised my problem with transforms.conf; my props.conf did not contain a TRANSFORM- or REPORT- stanza, so the transform was not being applied.
I've added this in and seem to be getting some extractions now!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should click Accept on your answer to close the question.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
