Splunk Search

Why is my props.conf not working at all to parse XML data?

nicocin
Path Finder

Hello everybody

I'm pretty new to Splunk and I'm trying to parse an xml input for the first time. Unfortunately, without success so far. 😞

I want to extract some fields of an xml file.

In my Test Environment I've created a new deployment app, server class, and made the associations.

In the app (default folder) I've created an inputs.conf:

[monitor://C:\temp\input.XML]
NO_BINARY_CHECK=1
sourcetype=my-source

Then I've created a props.conf:

[my-source] 
DATETIME_CONFIG = CURRENT
LINE_BREAKER = [\>\s]((?=\<data\>))
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = 1
TRUNCATE = 10000000

So far so good, the input file is indexed by Splunk, but my props.conf has no influence at all.

The XML looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<report>
 <reportdata>
  <name value="VPN User Total" type="string"/>
  <desc value="VPN User Total" type="string"/>
  <freq value="None" type="string"/>
  <created value="2016/03/15 09:02:27" type="timestamp"/>
  <timezone value="Europe/Berlin" type="string"/>
  <author value="useradmin" type="string"/>
  <customquery><query/></customquery>
 </reportdata>
 <domain id="master" total="0"/>
 <domain id="domain.intra" total="572">
 <query id="New">
  <data>
   <appl_types value="RO" type="string" source="digipass" displayname="Application"/>
   <domain value="domain.intra" type="string" source="digipass" displayname="Domain"/>
   <dp_type value="GO001" type="string" source="digipass" displayname="Type"/>
   <serial_no value="0123456789" type="string" source="digipass" displayname="SN"/>
   <userid value="user1" type="string" source="digipass" displayname="User"/>
  </data>
  <data>
   <appl_types value="RO" type="string" source="digipass" displayname="Application"/>
   <domain value="domain.intra" type="string" source="digipass" displayname="Domain"/>
   <dp_type value="GO001" type="string" source="digipass" displayname="Type"/>
   <serial_no value="987654321" type="string" source="digipass" displayname="SN"/>
   <userid value="user2" type="string" source="digipass" displayname="User"/>
  </data>
 </query>
 </domain>
</report>

From the second line, everything is on one line (just added some line breaks for better reading).

The File contains a lot of entries, this is only a demo version of it.

Splunk indexes only the first 10000 chars and adds no line breaks.

My Goal is to extract the userid and serial_no from all fields (I know that my props doesn't do that, but I tried to start as simple as possible.

Any hints why my props.conf is not working at all?

0 Karma
1 Solution

nicocin
Path Finder

It's working great now with props.conf on the indexer.

I've added the following to my props.conf:

FIELDALIAS-rootfields = data.userid{@value} as User data.serial_no{@value} as Serial

And get a table with all users and Serial.. 🙂

sourcetype=vpn_audit | table User,Serial

View solution in original post

0 Karma

nicocin
Path Finder

It's working great now with props.conf on the indexer.

I've added the following to my props.conf:

FIELDALIAS-rootfields = data.userid{@value} as User data.serial_no{@value} as Serial

And get a table with all users and Serial.. 🙂

sourcetype=vpn_audit | table User,Serial
0 Karma

Jeremiah
Motivator

What's your setup like? Are you sending from a universal forwarder to an indexer? What components are you deploying where?

0 Karma

nicocin
Path Finder

Yes I'm sending from an universal forwarder to an indexer.

I've depoyed the app to the server (with universal forwarder) where the xml is stored.

Edit: ok with props.conf on ..\etc\syste\local on the indexer it is working 🙂

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...