Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need help with props.conf and transforms.conf for ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help with props.conf and transforms.conf for an XML file
Hi,
I am indexing a set of XML files from an S3 bucket, and having troubles getting my config set up correctly.
The XML structure looks like (though it actually has no line-breaks in it);
<messages id="d546d3d0-9160-49d9-8b3e-ee68f19f46f1" message-group="17ffeaca-2384-47ed-b6a3-3d9e77598a7f" sent="2016-01-01T11:11:28.530Z">
<company id="8305307a-4690-4f30-a52d-21855b9c0a0d" name="MyCompany"/>
<application id="fa8c1d06-7d28-4263-a4f9-7bdcc8f51f58" name="MyProduct" version="1.1.0.10" />
<feature id="68c7ff1a-1b61-4c0e-bdc6-74dd6e8ce996" generated="2016-01-01T11:10:55.179Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f" name="Feature1">
<property name="aProperty1" value="aValue1"/>
<property name="aProperty2" value="aValue2"/>
</feature>
<feature id="77de669e-9f9a-4116-8192-048d34e50de9" generated="2016-01-01T11:11:10.371Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f" name="Feature2">
<property name="aProperty1" value="aValue3"/>
<property name="aProperty2" value="aValue4"/>
<property name="aProperty3" value="aValue5"/>
</feature>
<session-stop generated="2016-01-01T11:11:28.327Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f">
<binary id="00000000-0000-0000-0000-000000000000" modified="2015-09-15T19:03:04.000" name="MyDll" version="1.1.0.11"/>
</session-stop>
<app-stop id="9b2438e6-2330-4cfe-9dcb-d5e5c51b111a" generated="2016-01-01T11:11:28.515Z" session="17ffeaca-2384-47ed-b6a3-3d9e77598a7f">
<binary id="00000000-0000-0000-0000-000000000000" modified="2015-09-15T19:03:04.000" name="MyDll" version="1.1.0.11"/>
<user name="fdd3ce461229bb82a7a79f927480d104" admin="false"/>
</app-stop>
</messages>
My props.conf looks like;
[aws:s3:win-analytics]
KV_MODE = xml
LINE_BREAKER = [\>\s]((?=(\<feature|\<session-stop|\<session-start|\<app-start|\<app-stop)\s+[^\>]*\>))
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
disabled = false
TIME_PREFIX=generated
Any my current transforms.conf looks like;
[aws:s3:win-analytics]
REGEX = \<property name="([^\"]+)" value="([^\"]+)"\/\>
FORMAT = $1::$2
Essentially, the XML file consists of events which are represented as any of these blocks;
feature
app-stop
app-start
app-stop
session-stop
I am having some success with my props.conf, though I'm not sure if it's breaking down events correctly, I get alot of nested fields indexed by Splunk.
However, I'm having no success with my transforms.conf
What I want is for an event to not include properties like
feature.property{@name}="aProperty1" feature.property{@value}="aValue1"`
but have fields like;
aProperty1=aValue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I may have realised my problem with transforms.conf; my props.conf did not contain a TRANSFORM- or REPORT- stanza, so the transform was not being applied.
I've added this in and seem to be getting some extractions now!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should click Accept on your answer to close the question.
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
