Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex for props.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex for props.conf
ranjitbrhm1
Communicator
04-03-2018
12:34 AM
Hello All, I have an XML file which i need to injest. I cannot seem to set the correct regex to match the todo-item here. also please find my props.conf entry.
<todo-items type="array">
<todo-item>
<project-id type="integer">353705</project-id>
<tasklist-istemplate type="boolean">false</tasklist-istemplate>
<hastickets type="boolean">false</hastickets>
<order type="integer">2003</order>
<comments-count type="integer">0</comments-count>
<created-on type="date">2018-02-21T06:26:43Z</created-on>
<canedit type="boolean">true</canedit>
<has-predecessors type="integer">0</has-predecessors>
<id type="integer">17223695</id>
<completed type="boolean">false</completed>
<position type="integer">2003</position>
<estimated-minutes type="integer">0</estimated-minutes>
<description/>
<progress type="integer">0</progress>
<harvest-enabled type="boolean">false</harvest-enabled>
<parenttaskid type="integer">17223687</parenttaskid>
<responsible-party-lastname>xxx</responsible-party-lastname>
<company-id type="integer">103131</company-id>
<creator-id type="integer">316954</creator-id>
<project-name>asdfasdfasdf</project-name>
<start-date type="integer">20180403</start-date>
<tasklist-private type="boolean">true</tasklist-private>
<lockdownid type="integer">806894</lockdownid>
<cancomplete type="boolean">true</cancomplete>
<responsible-party-id>317122,221525,316954</responsible-party-id>
<creator-lastname>asdfasdfsdf</creator-lastname>
<has-reminders type="boolean">false</has-reminders>
<has-unread-comments type="boolean">false</has-unread-comments>
<todo-list-name>Phase Two</todo-list-name>
<due-date-base type="integer">20180403</due-date-base>
<private type="integer">2</private>
<userfollowingcomments type="boolean">false</userfollowingcomments>
<responsible-party-summary>You + 2 others</responsible-party-summary>
<status>new</status>
<todo-list-id type="integer">1533948</todo-list-id>
<predecessors type="array"/>
<tags type="array"/>
<content>ffdddffdfdfdfdfdfdfdfdfdfd</content>
<responsible-party-type>Person</responsible-party-type>
<company-name>as dfcsdfsdfs</company-name>
<creator-firstname>asdfasdfasdfasdf</creator-firstname>
<last-changed-on type="date">2018-03-29T10:55:28Z</last-changed-on>
<due-date type="integer">20180403</due-date>
<has-dependencies type="integer">2</has-dependencies>
<attachments-count type="integer">0</attachments-count>
<userfollowingchanges type="boolean">false</userfollowingchanges>
<priority/>
<responsible-party-firstname>asdfasdfasdf</responsible-party-firstname>
<viewestimatedtime type="boolean">true</viewestimatedtime>
<responsible-party-ids>317122,221525,316954</responsible-party-ids>
<responsible-party-names>cdcdcdcdcdcdcdcd</responsible-party-names>
<tasklist-lockdownid type="integer">806894</tasklist-lockdownid>
<timeislogged type="integer">0</timeislogged>
</todo-item>
following is my props.conf setting
[tasks]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\s*\<todo-item\>)
DATETIME_CONFIG = CURRENT
KV_MODE =xml
Any help is highly appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ranjitbrhm1
Communicator
04-03-2018
04:36 AM
Where is the search head's props file located. Also is it necessary to mention seperately KV_MODE in a standalone splunk instance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunker12er
Motivator
04-03-2018
01:50 AM
Try this for props.conf on your Indexer/Heavy Forwarder.
[tasks]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(?=\s*\<todo\-item\>)
DATETIME_CONFIG = CURRENT
Search head props.conf
[tasks]
KV_MODE =xml
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Event Series: Telemetry Pipeline Management
Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud
As ...
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...
