HI,
I am having some logs comes with XML format for Privilaged Access Manager, i need to extract the fields by default like this
Example: fields
<level></level>
<k>=<v>
commandinitiatio =USER
<success>false</success>
success=false
jan 9 09:04:56 1.30.124.24 1 2012-01-09T14:04:56+00:00 yahoota.com pam - metric DETAIL <Metric><type>getAccount</type><level>1</level><description><hashmap><k>commandInitiator</k><v>USER</v><k>commandName</k><v>getAccount</v><k>clientType</k><v>java</v><k>osarch</k><v>amd64</v><k>targetServerAlias</k><v>USR_LOCL_MARKETING_INTELLIGENCE_BATCH</v><k>nodeid</k><v><?xml version="1.0" encoding="utf-8" ?><nodeid><macaddr></macaddr><macaddr>:E0</macaddr><macaddr>A0:C:E0</macaddr><macaddr>:E0</macaddr><macaddr>1:E1</macaddr><macaddr>1:E3</macaddr><macaddr>:E2</macaddr><machineid>1E3</machineid><applicationtype>cspm</applicationtype></nodeid></v><k>enablefips</k><v>true</v><k>executionUID</k><v>bibatusr</v><k>version</k><v>4.5.3</v><k>scriptStat</k><v>/opt/ibm/bigintegrate/tools</v><k>scriptName</k><v>/home/infra/bibatusr/run_ds_job.sh</v><k>osversion</k><v>3.10.0-1127.el7.x86_64</v><k>digestLoginDate</k><k>applicationtype</k><v>cspm</v><k>getXMLIndicator</k><v>false</v></hashmap></description><errorCode>405</errorCode><userID>client</userID><success>false</success><originatingIPAddress>10.111.211.50</originatingIPAddress><originatingHostName>yahoota.com</originatingHostName><extensionType></extensionType></Metric>
I need this as default when these type logs integrated to splunk its automatically extract fields when we set up in props.conf and trasforms.conf so here what is the stanzas we have to write under this.
