Splunk Search

How to parse XML and props.conf?

poojithavasanth
Explorer

This is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to get my XML log to parse properly.

Here is a sample of my XML file:

<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="R" EventDateTime="2022-11-07T04:18:01"></EventIdentification></AuditMessage>
<?xml version="1.0" encoding="UTF-8"?><AuditMessage xmlns:xsi="XMLSchema-instance" xsi:noNamespaceSchemaLocation="HL7-audit-message-payload_1_3.xsd"><EventIdentification EventActionCode="E" EventDateTime="2022-11-07T05:18:01"></EventIdentification></AuditMessage>

Here are the entire contents of my props.conf file: 

[xxx:xxx:audit:xml]
MUST_BREAK_AFTER = \</AuditMessage\>
KV_MODE = xml
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = true
TIMESTAMP_FIELDS = <EventDateTime>
TIME_PREFIX = <EventDateTime>
TIME_FORMAT = %Y-%m-%dT%H:%M:%S
category = Custom
disabled = false

 I would need your assistance to parse the events.

Thank you.

Labels (3)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

poojithavasanth
Explorer

Perfect. Thank you!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

I think you didn't use my settings as they are. Please remove TIMESTAMP_FIELDS setting. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thank you @richgalloway and @scelikok 

I did not get any error; however, I see timestamp being none. 

Also, the timestamp in the file is not same as the timestamp which is marked in blue.

poojithavasanth_2-1675952917706.png

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @poojithavasanth,

Below should work;

[xxx:xxx:audit:xml]
SHOULD_LINEMERGE=false
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
KV_MODE=xml
TIME_FORMAT=%Y-%m-%dT%H:%M:%S
TIME_PREFIX=EventDateTime="
MAX_TIMESTAMP_LOOKAHEAD=19
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

poojithavasanth
Explorer

Thanks for the reply @richgalloway 

I removed angle brackers for TIME_PREFIX and it did not work.

poojithavasanth_0-1675945251253.png

I would want to extract timestamp and other fields from the event to display them.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looks like we need to be more explicit with the time prefix.  Try this

TIME_PREFIX = EventDateTime="
---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What exactly are you getting for results?  What does "parse properly" mean to you?

I can see that the TIME_PREFIX setting is incorrect.  Remove the angle brackets and it should work.

Also, the TIMESTAMP_FIELDS setting only applies when INDEXED_EXTRACTIONS is used.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...