Splunk Search

Why is my props.conf not working at all to parse XML data?

nicocin
Path Finder

Hello everybody

I'm pretty new to Splunk and I'm trying to parse an xml input for the first time. Unfortunately, without success so far. 😞

I want to extract some fields of an xml file.

In my Test Environment I've created a new deployment app, server class, and made the associations.

In the app (default folder) I've created an inputs.conf:

[monitor://C:\temp\input.XML]
NO_BINARY_CHECK=1
sourcetype=my-source

Then I've created a props.conf:

[my-source] 
DATETIME_CONFIG = CURRENT
LINE_BREAKER = [\>\s]((?=\<data\>))
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = 1
TRUNCATE = 10000000

So far so good, the input file is indexed by Splunk, but my props.conf has no influence at all.

The XML looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<report>
 <reportdata>
  <name value="VPN User Total" type="string"/>
  <desc value="VPN User Total" type="string"/>
  <freq value="None" type="string"/>
  <created value="2016/03/15 09:02:27" type="timestamp"/>
  <timezone value="Europe/Berlin" type="string"/>
  <author value="useradmin" type="string"/>
  <customquery><query/></customquery>
 </reportdata>
 <domain id="master" total="0"/>
 <domain id="domain.intra" total="572">
 <query id="New">
  <data>
   <appl_types value="RO" type="string" source="digipass" displayname="Application"/>
   <domain value="domain.intra" type="string" source="digipass" displayname="Domain"/>
   <dp_type value="GO001" type="string" source="digipass" displayname="Type"/>
   <serial_no value="0123456789" type="string" source="digipass" displayname="SN"/>
   <userid value="user1" type="string" source="digipass" displayname="User"/>
  </data>
  <data>
   <appl_types value="RO" type="string" source="digipass" displayname="Application"/>
   <domain value="domain.intra" type="string" source="digipass" displayname="Domain"/>
   <dp_type value="GO001" type="string" source="digipass" displayname="Type"/>
   <serial_no value="987654321" type="string" source="digipass" displayname="SN"/>
   <userid value="user2" type="string" source="digipass" displayname="User"/>
  </data>
 </query>
 </domain>
</report>

From the second line, everything is on one line (just added some line breaks for better reading).

The File contains a lot of entries, this is only a demo version of it.

Splunk indexes only the first 10000 chars and adds no line breaks.

My Goal is to extract the userid and serial_no from all fields (I know that my props doesn't do that, but I tried to start as simple as possible.

Any hints why my props.conf is not working at all?

0 Karma
1 Solution

nicocin
Path Finder

It's working great now with props.conf on the indexer.

I've added the following to my props.conf:

FIELDALIAS-rootfields = data.userid{@value} as User data.serial_no{@value} as Serial

And get a table with all users and Serial.. 🙂

sourcetype=vpn_audit | table User,Serial

View solution in original post

0 Karma

nicocin
Path Finder

It's working great now with props.conf on the indexer.

I've added the following to my props.conf:

FIELDALIAS-rootfields = data.userid{@value} as User data.serial_no{@value} as Serial

And get a table with all users and Serial.. 🙂

sourcetype=vpn_audit | table User,Serial

View solution in original post

0 Karma

Jeremiah
Motivator

What's your setup like? Are you sending from a universal forwarder to an indexer? What components are you deploying where?

0 Karma

nicocin
Path Finder

Yes I'm sending from an universal forwarder to an indexer.

I've depoyed the app to the server (with universal forwarder) where the xml is stored.

Edit: ok with props.conf on ..\etc\syste\local on the indexer it is working 🙂

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.