Splunk Search

Regex for props.conf

ranjitbrhm1
Communicator

Hello All, I have an XML file which i need to injest. I cannot seem to set the correct regex to match the todo-item here. also please find my props.conf entry.

<todo-items type="array">
<todo-item>
<project-id type="integer">353705</project-id>
<tasklist-istemplate type="boolean">false</tasklist-istemplate>
<hastickets type="boolean">false</hastickets>
<order type="integer">2003</order>
<comments-count type="integer">0</comments-count>
<created-on type="date">2018-02-21T06:26:43Z</created-on>
<canedit type="boolean">true</canedit>
<has-predecessors type="integer">0</has-predecessors>
<id type="integer">17223695</id>
<completed type="boolean">false</completed>
<position type="integer">2003</position>
<estimated-minutes type="integer">0</estimated-minutes>
<description/>
<progress type="integer">0</progress>
<harvest-enabled type="boolean">false</harvest-enabled>
<parenttaskid type="integer">17223687</parenttaskid>
<responsible-party-lastname>xxx</responsible-party-lastname>
<company-id type="integer">103131</company-id>
<creator-id type="integer">316954</creator-id>
<project-name>asdfasdfasdf</project-name>
<start-date type="integer">20180403</start-date>
<tasklist-private type="boolean">true</tasklist-private>
<lockdownid type="integer">806894</lockdownid>
<cancomplete type="boolean">true</cancomplete>
<responsible-party-id>317122,221525,316954</responsible-party-id>
<creator-lastname>asdfasdfsdf</creator-lastname>
<has-reminders type="boolean">false</has-reminders>
<has-unread-comments type="boolean">false</has-unread-comments>
<todo-list-name>Phase Two</todo-list-name>
<due-date-base type="integer">20180403</due-date-base>
<private type="integer">2</private>
<userfollowingcomments type="boolean">false</userfollowingcomments>
<responsible-party-summary>You + 2 others</responsible-party-summary>
<status>new</status>
<todo-list-id type="integer">1533948</todo-list-id>
<predecessors type="array"/>
<tags type="array"/>
<content>ffdddffdfdfdfdfdfdfdfdfdfd</content>
<responsible-party-type>Person</responsible-party-type>
<company-name>as dfcsdfsdfs</company-name>
<creator-firstname>asdfasdfasdfasdf</creator-firstname>
<last-changed-on type="date">2018-03-29T10:55:28Z</last-changed-on>
<due-date type="integer">20180403</due-date>
<has-dependencies type="integer">2</has-dependencies>
<attachments-count type="integer">0</attachments-count>
<userfollowingchanges type="boolean">false</userfollowingchanges>
<priority/>
<responsible-party-firstname>asdfasdfasdf</responsible-party-firstname>
<viewestimatedtime type="boolean">true</viewestimatedtime>
<responsible-party-ids>317122,221525,316954</responsible-party-ids>
<responsible-party-names>cdcdcdcdcdcdcdcd</responsible-party-names>
<tasklist-lockdownid type="integer">806894</tasklist-lockdownid>
<timeislogged type="integer">0</timeislogged>
</todo-item>

following is my props.conf setting

 [tasks]
 SHOULD_LINEMERGE = false
 LINE_BREAKER = ([\r\n]+)(?=\s*\<todo-item\>)
 DATETIME_CONFIG = CURRENT
 KV_MODE =xml

Any help is highly appreciated.
Thanks

0 Karma

ranjitbrhm1
Communicator

Where is the search head's props file located. Also is it necessary to mention seperately KV_MODE in a standalone splunk instance?

0 Karma

splunker12er
Motivator

Try this for props.conf on your Indexer/Heavy Forwarder.

 [tasks]
 SHOULD_LINEMERGE = false
 LINE_BREAKER = ([\r\n]+)(?=\s*\<todo\-item\>)
 DATETIME_CONFIG = CURRENT

Search head props.conf

 [tasks]
 KV_MODE =xml
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...