Hello
I am trying to make key=value pair for the below data and I am lost on where I am going wrong..
6/26/15 10:26 AM,abcdefg.com:CRDMS,Oracle Database Server,DB Role (Oracle) Assignment report,Query Rule,Query=DB Role assignment query,"<?xml version=""1.0"" encoding=""UTF-8"" ?>
<ResultSetData>
<Row>
<Column name=""Server Name"">abc.abc</Column>
<Column name=""Database Name"">CRDMS</Column>
<Column name=""Role Name"">PCI_READ_IARD</Column>
<Column name=""Role Grantee"">SYS</Column>
<Column name=""Server NetBIOS Name"">abc.abc</Column>
</Row>
What I plan to do is to make KEY=VALUE pairs for all the name’s with their corresponding values. Example.. “Server Name” = abc.abc , Database Name=CRDMS etc.
Props.conf:
[test]
TRANSFORMS-ext = ext_column_values
TRUNCATE=100000
Transforms.conf
[ext_column_values]
REGEX = ^\s+\<Column\s+name\=\"\"([^\"]+)\"\"\>([^\<]+)\<
FORMAT = $1::$2
#MV_ADD = true
#WRITE_META = true
SOURCE_KEY = _raw
But it doesn’t seem to work. Not sure where I am doing wrong. Any ideas?
It all looks good to me except that you definitely need MV_ADD=true
so remove the comment character on that line, the RegEx might be better as explicitly multiline:
REGEX = (?m)^\s+\<Column\s+name\=\"\"([^\"]+)\"\"\>([^\<]+)\<
MV_ADD = true
I tried it and it still doesn't work. Kinda strange. I am applying them on the indexer and doing a oneshot on it for now.
Is the sourcetype
for the events that you would like to exploit called test
? If not, you need to change your stanza header in props.conf
from [test]
to [yourSourceType]
before it will all be connected together. Also, you may have a permission problem depending on where you have placed the props.conf
and transforms.conf
files. You might try setting the permissions to Global
to test if this is the problem.