- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex for props.conf
ranjitbrhm1
Communicator
04-03-2018
12:34 AM
Hello All, I have an XML file which i need to injest. I cannot seem to set the correct regex to match the todo-item here. also please find my props.conf entry.
<todo-items type="array">
<todo-item>
<project-id type="integer">353705</project-id>
<tasklist-istemplate type="boolean">false</tasklist-istemplate>
<hastickets type="boolean">false</hastickets>
<order type="integer">2003</order>
<comments-count type="integer">0</comments-count>
<created-on type="date">2018-02-21T06:26:43Z</created-on>
<canedit type="boolean">true</canedit>
<has-predecessors type="integer">0</has-predecessors>
<id type="integer">17223695</id>
<completed type="boolean">false</completed>
<position type="integer">2003</position>
<estimated-minutes type="integer">0</estimated-minutes>
<description/>
<progress type="integer">0</progress>
<harvest-enabled type="boolean">false</harvest-enabled>
<parenttaskid type="integer">17223687</parenttaskid>
<responsible-party-lastname>xxx</responsible-party-lastname>
<company-id type="integer">103131</company-id>
<creator-id type="integer">316954</creator-id>
<project-name>asdfasdfasdf</project-name>
<start-date type="integer">20180403</start-date>
<tasklist-private type="boolean">true</tasklist-private>
<lockdownid type="integer">806894</lockdownid>
<cancomplete type="boolean">true</cancomplete>
<responsible-party-id>317122,221525,316954</responsible-party-id>
<creator-lastname>asdfasdfsdf</creator-lastname>
<has-reminders type="boolean">false</has-reminders>
<has-unread-comments type="boolean">false</has-unread-comments>
<todo-list-name>Phase Two</todo-list-name>
<due-date-base type="integer">20180403</due-date-base>
<private type="integer">2</private>
<userfollowingcomments type="boolean">false</userfollowingcomments>
<responsible-party-summary>You + 2 others</responsible-party-summary>
<status>new</status>
<todo-list-id type="integer">1533948</todo-list-id>
<predecessors type="array"/>
<tags type="array"/>
<content>ffdddffdfdfdfdfdfdfdfdfdfd</content>
<responsible-party-type>Person</responsible-party-type>
<company-name>as dfcsdfsdfs</company-name>
<creator-firstname>asdfasdfasdfasdf</creator-firstname>
<last-changed-on type="date">2018-03-29T10:55:28Z</last-changed-on>
<due-date type="integer">20180403</due-date>
<has-dependencies type="integer">2</has-dependencies>
<attachments-count type="integer">0</attachments-count>
<userfollowingchanges type="boolean">false</userfollowingchanges>
<priority/>
<responsible-party-firstname>asdfasdfasdf</responsible-party-firstname>
<viewestimatedtime type="boolean">true</viewestimatedtime>
<responsible-party-ids>317122,221525,316954</responsible-party-ids>
<responsible-party-names>cdcdcdcdcdcdcdcd</responsible-party-names>
<tasklist-lockdownid type="integer">806894</tasklist-lockdownid>
<timeislogged type="integer">0</timeislogged>
</todo-item>
following is my props.conf setting
[tasks]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\s*\<todo-item\>)
DATETIME_CONFIG = CURRENT
KV_MODE =xml
Any help is highly appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ranjitbrhm1
Communicator
04-03-2018
04:36 AM
Where is the search head's props file located. Also is it necessary to mention seperately KV_MODE in a standalone splunk instance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker12er
Motivator
04-03-2018
01:50 AM
Try this for props.conf on your Indexer/Heavy Forwarder.
[tasks]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\s*\<todo\-item\>)
DATETIME_CONFIG = CURRENT
Search head props.conf
[tasks]
KV_MODE =xml
