1.I have configured inputs.conf to monitor c:\windows\assembly folder
in windows Server
2.I am using [fschange = folder path]
to monitor asseblies
3.I am getting into Splunk
4.But, i am getting data in the format of XML , no fields are deducted by Splunk automatic indexing
i have set source type to assembly
5.I need to view fields like version, date created , date modified, oldVersion, newVersion.
There are examples here on how to use the spath command to extract XML KV pairs at search time:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Spath
My preferred method for parsing XML is to use props.conf KV_MODE, as it provides a tree view and autoextraction of all your XML fields:
PROPS.CONF:
[assembly]
KV_MODE = xml
Docs are here:
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Propsconf
There are examples here on how to use the spath command to extract XML KV pairs at search time:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Spath
My preferred method for parsing XML is to use props.conf KV_MODE, as it provides a tree view and autoextraction of all your XML fields:
PROPS.CONF:
[assembly]
KV_MODE = xml
Docs are here:
http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Propsconf