Splunk Search

How to parse XML and props.conf?

poojithavasanth
Explorer

This is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.

Here is a sample of my XML file:

<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="R" EventDateTime="2022-11-07T04:18:01"></EventIdentification></AuditMessage>
<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="E" EventDateTime="2022-11-07T05:18:01"></EventIdentification></AuditMessage>

Here are the entire contents of my props.conf file: 

[xxx:xxx:audit:xml]
MUST_BREAK_AFTER = \</AuditMessage\>
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TIMESTAMP_FIELDS = <EventDateTime>
TIME_PREFIX = <EventDateTime>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
category = Custom
disabled = false

 I would need your assistance to parse the events.

Thank you.

Labels (3)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

poojithavasanth
Explorer

Perfect. Thank you!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thank you @richgalloway and @scelikok 

I did not get any error; however, I see timestamp being none. 

Also, the timestamp in the file is not same as the timestamp which is marked in blue.

poojithavasanth_2-1675952917706.png

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

Below should work;

[xxx:xxx:audit:xml]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
KV_MODE=xml
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
TIME_PREFIX=EventDateTime="
MAX_TIMESTAMP_LOOKAHEAD=19
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thanks for the reply @richgalloway 

I removed angle brackers for TIME_PREFIX and it did not work.

poojithavasanth_0-1675945251253.png

I would want to extract timestamp and other fields from the event to display them.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looks like we need to be more explicit with the time prefix.  Try this

TIME_PREFIX = EventDateTime="
---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What exactly are you getting for results?  What does "parse properly" mean to you?

I can see that the TIME_PREFIX setting is incorrect.  Remove the angle brackets and it should work.

Also, the TIMESTAMP_FIELDS setting only applies when INDEXED_EXTRACTIONS is used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...