topic Multi Line Field Extraction for XML in Security

Multi Line Field Extraction for XML

SplunkDash — Thu, 07 Dec 2023 04:44:40 GMT

Hello,

I have some issues to perform multi-line field extraction for XML, my in-line extraction is not getting any result; sample events and my in-line extraction are provided below. Any help would be appreciated.

Sample Events:

<Event>

<Application_Name>Test</Application_Name>

<Host_Name>VS0SMADBEFT</Host_Name>

</Event>

<Event>

<Application_Name>Test</Application_Name>

<Host_Name>VS0SMADBEFT</Host_Name>

</Event>

In Line Extraction I Used

Re: Multi Line Field Extraction for XML

PickleRick — Thu, 07 Dec 2023 07:59:51 GMT

https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf

* dotall (?s) and multi-line (?m) modifiers are added in front of the regex.
  So internally, the regex becomes (?ms)<regex>.

So if your regex doesn't match, there might be something not 100% OK with it. It almost checks out on regex101 but it warns about possible necessity of escaping the included slashes. So I'd start with verifying that.

Re: Multi Line Field Extraction for XML

SplunkDash — Thu, 07 Dec 2023 15:13:56 GMT

@PickleRick

Thank you so much for your quick response. However, no changes.

I was trying to use props and transforms conf files, but not working as well

My props transforms

[myprops] REPORT-mytrans_fields=mytrans_fields [mytrans_fields] REGEX=\<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*) FORMAT=$1::$2 DEST_KEY=_raw

Any recommendations?

Re: Multi Line Field Extraction for XML

PickleRick — Thu, 07 Dec 2023 18:01:30 GMT

To be fully honest, if your data is a well-formed XML, I'd just go for

KV_MODE=xml