I have a log file wherea typical line entry is as below ... I am trying to construct REGEX to be included in the "transforms.conf" file on indexer to break the line into fields such as "NS" , "subproduct", "command" , "result" ,"time" I.E by XML tags .Any help is appreciated
20110803 000000|
I tried this and still not able to get the data extracted ..Here are mt props.conf and transforms.conf entries
Props.conf
[source::...tcpig.\d+.\sla.\$]
sourcetype = ig_sla
[ig_sla]
TIME_FORMAT = %Y%m%d %H%M%S
TZ = US/Eastern
MAX_EVENTS=1
SHOULD_LINEMERGE = false
LINE_BREAKER = >\s*(?=<rttlog>)
REPORT-xmlext = xml-extr
transforms.conf
[xml-extr]
REGEX = <(\w+)>([^<]+)</
FORMAT = reg_id::"$1" NS::"$2" sub_product::"$3" command::"$4" response_code::"$5"
response_time::"$6"
REGEX = <(\w+)>([^<]+)</
Can you make sure that the sourcetype is actually applied to those events? There is a bug on splunkbase, that doubles the backslashes . There should only be one in the REGEX stanza...
This should work:
transforms.conf
[simple-xml-tags]
REGEX = <(\w+)>([^<]+)</
FORMAT = $1::$2
props.conf
[my_sourcetype]
REPORT-xml-tags = simple-xml-tags