Hi,
I am indexing a set of XML files from an S3 bucket, and having troubles getting my config set up correctly.
The XML structure looks like (though it actually has no line-breaks in it);
]*\>))
DATETIME_CONFIG =
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
disabled = false
TIME_PREFIX=generated
Any my current **transforms.conf** looks like;
[aws:s3:win-analytics]
REGEX = \
FORMAT = $1::$2
Essentially, the XML file consists of events which are represented as any of these blocks;
`feature`
`app-stop`
`app-start`
`app-stop`
`session-stop`
I am having some success with my **props.conf**, though I'm not sure if it's breaking down events correctly, I get alot of nested fields indexed by Splunk.
However, I'm having no success with my **transforms.conf**
What I want is for an event to *not* include properties like
`feature.property{@name}="aProperty1"
`feature.property{@value}="aValue1"`
but have fields like;
`aProperty1=aValue`
↧