topic XML tags extraction at index time in Getting Data In https://community.splunk.com/t5/Getting-Data-In/XML-tags-extraction-at-index-time/m-p/532477#M89510 <P>Hello,</P><P>I am trying to create some fields at index time from an XML log.</P><P>I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following:</P><P>&nbsp;</P><LI-CODE lang="markup">[xmlkv_extract] REGEX=\&lt;(.*?)\&gt;(.*?)\&lt; FORMAT = $1::$2 WRITE_META = true [xmlkv_extract_new] REGEX = &lt;email&gt;(.*?)&lt;\/email&gt;&lt;ccard&gt;(.*?)&lt;\/ccard&gt;&lt;company&gt;(.*?)&lt;\/company&gt;&lt;city&gt;(.*?)&lt;\/city&gt; FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4" WRITE_META = True</LI-CODE><P>&nbsp;</P><P>&nbsp;and this my sample event:</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;email&gt;orci.Phasellus.dapibus@egestasSed.ca&lt;/email&gt;&lt;ccard&gt;4539599637112700&lt;/ccard&gt;&lt;city&gt;Hamilton&lt;/city&gt;&lt;company&gt;Eros Proin LLC&lt;/company&gt;&lt;/fst&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok.</P><P>Is there some limitation in the index-time field extraction about the "generic" xml tags extraction?</P><P>thanks</P><P>Fausto</P> Wed, 09 Dec 2020 14:22:23 GMT fsaporito 2020-12-09T14:22:23Z XML tags extraction at index time https://community.splunk.com/t5/Getting-Data-In/XML-tags-extraction-at-index-time/m-p/532477#M89510 <P>Hello,</P><P>I am trying to create some fields at index time from an XML log.</P><P>I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following:</P><P>&nbsp;</P><LI-CODE lang="markup">[xmlkv_extract] REGEX=\&lt;(.*?)\&gt;(.*?)\&lt; FORMAT = $1::$2 WRITE_META = true [xmlkv_extract_new] REGEX = &lt;email&gt;(.*?)&lt;\/email&gt;&lt;ccard&gt;(.*?)&lt;\/ccard&gt;&lt;company&gt;(.*?)&lt;\/company&gt;&lt;city&gt;(.*?)&lt;\/city&gt; FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4" WRITE_META = True</LI-CODE><P>&nbsp;</P><P>&nbsp;and this my sample event:</P><P>&nbsp;</P><LI-CODE lang="markup">&lt;email&gt;orci.Phasellus.dapibus@egestasSed.ca&lt;/email&gt;&lt;ccard&gt;4539599637112700&lt;/ccard&gt;&lt;city&gt;Hamilton&lt;/city&gt;&lt;company&gt;Eros Proin LLC&lt;/company&gt;&lt;/fst&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok.</P><P>Is there some limitation in the index-time field extraction about the "generic" xml tags extraction?</P><P>thanks</P><P>Fausto</P> Wed, 09 Dec 2020 14:22:23 GMT https://community.splunk.com/t5/Getting-Data-In/XML-tags-extraction-at-index-time/m-p/532477#M89510 fsaporito 2020-12-09T14:22:23Z