Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure props.conf to parse XML on NetScan reports?

madrinux
Engager
‎02-17-2016 11:20 AM

Hey Friends

I'm having a lot of issues importing an XML file to my Splunk Enterprise. Actually, I'm a new user to Splunk and still trying without success inthis xml file.

Googling around, I figured out that the right file to configuring this parsing should be props.conf, but I already tried to make some changes and configurations inside props.conf, but didn't see a way to do it right.

Indeed, this file is a result from a NetScan and I'm not getting how to configure this property.

Could you guys give me a little help?

Below you can see a sample of file that I'm trying to parse. Pay attention that when this scan found additional information regarding share to specific device, this also insert as a parameter for folder, and, unfortunately we cannot change the way that this report is issued.

<?xml version="1.0"?>
<network-scanner-result>
  <summary>
    <title>Network Scanner</title>
    <range></range>
    <date>2016-02-01T13:14:51.570-02:00</date>
  </summary>
  <devices>
    <item>
      <ip-address>10.77.4.57</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>1</response-time>
    </item>
    <item>
      <ip-address>10.77.4.58</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>0</response-time>
    </item>
    <item>
      <ip-address>10.77.4.61</ip-address>
      <folders>
        <item>
          <name>MPC3001</name>
          <attr>printer</attr>
        </item>
        <item>
          <name>IPC$</name>
          <attr>ipc</attr>
        </item>
      </folders>
      <hostname>RNP002673377C09</hostname>
      <mac-address>002673377C09</mac-address>
      <response-time>8</response-time>
    </item>
    <item>
      <ip-address>10.77.4.90</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>0</response-time>
    </item>
    <item>
      <ip-address>10.77.4.91</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>2</response-time>
    </item>
    <item>
      <ip-address>10.77.4.92</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>0</response-time>
    </item>
    <item>
      <ip-address>10.77.4.93</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>1</response-time>
    </item>
    <item>
      <ip-address>10.77.4.94</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>0</response-time>
    </item>
    <item>
      <ip-address>10.77.4.95</ip-address>
      <hostname></hostname>
      <mac-address>000000000000</mac-address>
      <response-time>5</response-time>
    </item>
  </devices>
</network-scanner-result>

Could you guys give-me a little help how can I Parse that?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎02-17-2016 11:46 AM

I'm not 100% sure of what your asking here. So you have logs on a server which are in the form of XML and you need those log files available in your Splunk web portal?

If so then you will need to set up a forwarder on that server which produces the log files, then configure your output.conf to point to your indexer which parses the data. The indexer will also make it available in your Splunk web interface. Once this XML file is on your indexer you can then parse the XML, line break it, etc..

If your asking how to make each portion of your XML into a sperate event then you will need to write a regular expression and put that in your props.conf.. If this is true then post your current stanza you have in your props.conf and I'll help you correct it

0 Karma
Reply

madrinux
Engager
‎02-17-2016 12:15 PM

Hy skoelpin, thanks in advance for your help.

Actually, for while I have a XML file and I intend to insert this file through menu web portal --> upload files from my computer. And the sample above is exactly what i need to insert on Splunk.

My question is, how to parse this information and put each information on right field.
For instance : Ipaddres, Mac Address, FolderName, FolderAttibute and son on....

May be would be a little bit clear if you see my sample.conf configuration that didn't work as I expected.

Bellow:

[NetScan]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<devices>)
MUST_BREAK_AFTER = \</devices\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
FIELDALIAS-rootfields = item.ip-address as IPADDRESS item.hostname as HOSTNAME item.mac-address as MACADD item.response-time as RESPTIME item.folders.item.name as SHARE item.folders.item.attr as ATTRIBUTE
0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...