Very much a noob here. I've read (or tried to read!) the docs, I've watched the videos and still it's not doing what I thought it should.
I have loaded my data into Splunk (an XML file) and did a rex on the data to find what I was looking for. That worked fine.
sourcetype="xml" | rex "<CommandId>(?<commandid>d+)</CommandId>"
Now I want to persist the data. I added this to my props.conf file (in Splunk\etc\system\local):
[xml]
REPORT-uploads = commandId
And this to transforms.conf (same location):
[commandId]
REGEX=<CommandId>(?<commandId>d+)</CommandId>
Did I do this correctly?
... View more