Splunk Search

How to parse XML and props.conf?

poojithavasanth
Explorer

This is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.

Here is a sample of my XML file:

<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="R" EventDateTime="2022-11-07T04:18:01"></EventIdentification></AuditMessage>
<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="E" EventDateTime="2022-11-07T05:18:01"></EventIdentification></AuditMessage>

Here are the entire contents of my props.conf file: 

[xxx:xxx:audit:xml]
MUST_BREAK_AFTER = \</AuditMessage\>
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TIMESTAMP_FIELDS = <EventDateTime>
TIME_PREFIX = <EventDateTime>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
category = Custom
disabled = false

 I would need your assistance to parse the events.

Thank you.

Labels (3)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

poojithavasanth
Explorer

Perfect. Thank you!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thank you @richgalloway and @scelikok 

I did not get any error; however, I see timestamp being none. 

Also, the timestamp in the file is not same as the timestamp which is marked in blue.

poojithavasanth_2-1675952917706.png

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

Below should work;

[xxx:xxx:audit:xml]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
KV_MODE=xml
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
TIME_PREFIX=EventDateTime="
MAX_TIMESTAMP_LOOKAHEAD=19
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thanks for the reply @richgalloway 

I removed angle brackers for TIME_PREFIX and it did not work.

poojithavasanth_0-1675945251253.png

I would want to extract timestamp and other fields from the event to display them.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looks like we need to be more explicit with the time prefix.  Try this

TIME_PREFIX = EventDateTime="
---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What exactly are you getting for results?  What does "parse properly" mean to you?

I can see that the TIME_PREFIX setting is incorrect.  Remove the angle brackets and it should work.

Also, the TIMESTAMP_FIELDS setting only applies when INDEXED_EXTRACTIONS is used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...