Splunk Search

How to parse XML and props.conf?

poojithavasanth
Explorer

This is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.

Here is a sample of my XML file:

<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="R" EventDateTime="2022-11-07T04:18:01"></EventIdentification></AuditMessage>
<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="E" EventDateTime="2022-11-07T05:18:01"></EventIdentification></AuditMessage>

Here are the entire contents of my props.conf file: 

[xxx:xxx:audit:xml]
MUST_BREAK_AFTER = \</AuditMessage\>
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TIMESTAMP_FIELDS = <EventDateTime>
TIME_PREFIX = <EventDateTime>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
category = Custom
disabled = false

 I would need your assistance to parse the events.

Thank you.

Labels (3)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

poojithavasanth
Explorer

Perfect. Thank you!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thank you @richgalloway and @scelikok 

I did not get any error; however, I see timestamp being none. 

Also, the timestamp in the file is not same as the timestamp which is marked in blue.

poojithavasanth_2-1675952917706.png

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

Below should work;

[xxx:xxx:audit:xml]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
KV_MODE=xml
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
TIME_PREFIX=EventDateTime="
MAX_TIMESTAMP_LOOKAHEAD=19
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thanks for the reply @richgalloway 

I removed angle brackers for TIME_PREFIX and it did not work.

poojithavasanth_0-1675945251253.png

I would want to extract timestamp and other fields from the event to display them.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looks like we need to be more explicit with the time prefix.  Try this

TIME_PREFIX = EventDateTime="
---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What exactly are you getting for results?  What does "parse properly" mean to you?

I can see that the TIME_PREFIX setting is incorrect.  Remove the angle brackets and it should work.

Also, the TIMESTAMP_FIELDS setting only applies when INDEXED_EXTRACTIONS is used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...