Extract xml section in props.conf

Hazel · ‎12-13-2010

Hello

I am trying to extract specific sections from my xml file in props.conf into events. The events should look like the following and appear multiple times inside my xml

 <jms-system-resource>
    <name>Routere</name>
    <target>trade</target>
    <sub-deployment>
      <name>DeployToRouter</name>
      <target>RouterS</target>
    </sub-deployment>
    <descriptor-file-name>jms/router.xml</descriptor-file-name>
  </jms-system-resource>

Is there a way to extract these out using props.conf? I can get it to break when it finds <jms-system-resouce>, which successfully creates events that start with <jms-system-resouce, but then i want to split off the event again at <jms-system-resource>. Is there any way to do this? I've tried a couple of things but can't get it to work.

I basically think I want a combination of BREAK_ONLY_BEFORE and BREAK_ONLY_AFTER , but it doesn't work. Or, is there a way to use or inside a BREAK_ONLY_BEFORE, i tried this too

BREAK_ONLY_BEFORE = (<jms-system-resource>|<jds-datasource)

Which is one of the options that usually follows the jms-system resource, but this didn't work either.

Any ideas?

Hazel

lguinn2 · ‎06-11-2012

The < (less-than sign) is a special character in regular expressions, and must be escaped. Also, I have found that it works best to specify "non-capturing" parentheses. So I would use this regular expression, and I think it would do what you want.

BREAK_ONLY_BEFORE = (?:\<jms-system-resource>|\<jds-datasource)

Extract xml section in props.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?