Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse XML and props.conf?

poojithavasanth
Explorer
‎02-08-2023 11:16 AM

This is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.

Here is a sample of my XML file:

<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="R" EventDateTime="2022-11-07T04:18:01"></EventIdentification></AuditMessage>
<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="E" EventDateTime="2022-11-07T05:18:01"></EventIdentification></AuditMessage>

Here are the entire contents of my props.conf file: 

[xxx:xxx:audit:xml]
MUST_BREAK_AFTER = \</AuditMessage\>
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TIMESTAMP_FIELDS = <EventDateTime>
TIME_PREFIX = <EventDateTime>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
category = Custom
disabled = false

 I would need your assistance to parse the events.

Thank you.

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2023 06:38 AM

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

poojithavasanth
Explorer
‎02-09-2023 06:45 AM

Perfect. Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2023 06:38 AM

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

poojithavasanth
Explorer
‎02-09-2023 06:27 AM

Thank you @richgalloway and @scelikok 

I did not get any error; however, I see timestamp being none. 

Also, the timestamp in the file is not same as the timestamp which is marked in blue.

poojithavasanth_2-1675952917706.png

 

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎02-09-2023 06:13 AM

Hi @poojithavasanth,

Below should work;

[xxx:xxx:audit:xml]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
KV_MODE=xml
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
TIME_PREFIX=EventDateTime="
MAX_TIMESTAMP_LOOKAHEAD=19
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

poojithavasanth
Explorer
‎02-09-2023 04:20 AM

Thanks for the reply @richgalloway 

I removed angle brackers for TIME_PREFIX and it did not work.

poojithavasanth_0-1675945251253.png

I would want to extract timestamp and other fields from the event to display them.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2023 06:19 AM

Looks like we need to be more explicit with the time prefix.  Try this

TIME_PREFIX = EventDateTime="
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-08-2023 12:06 PM

What exactly are you getting for results?  What does "parse properly" mean to you?

I can see that the TIME_PREFIX setting is incorrect.  Remove the angle brackets and it should work.

Also, the TIMESTAMP_FIELDS setting only applies when INDEXED_EXTRACTIONS is used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...