https://community.splunk.com/t5/Splunk-Search/Multivalue-XML-extraction-not-working/m-p/87821#M22437 <P>The quantifier * in the REGEX is greedy, so the expression . * is eating up all the chars before the last &lt;/EXPLT&gt;<BR /> Try adding a ? after the * to make it non-greedy, so the regex "stops" at the next &lt;/EXPLT&gt;, not the last.</P> <P>REGEX = (?mis)(&lt;EXPLT&gt;.*?&lt;/EXPLT&gt;)</P> Wed, 18 Jul 2012 10:21:39 GMT andreas 2012-07-18T10:21:39Z https://community.splunk.com/t5/Splunk-Search/Multivalue-XML-extraction-not-working/m-p/87820#M22436 <P>I'm trying to add several lines of XML to a multi-valued field. The data looks like: </P> <P>&lt;EXPLT&gt;<BR /><BR /> &lt;REF&gt;&lt;![CDATA[CVE-2011-4885]]&gt;&lt;/REF&gt;<BR /><BR /> &lt;DESC&gt;&lt;![CDATA[PHP Hashtables Denial of Service - The Exploit-DB Ref : 18296]]&gt;&lt;/DESC&gt;<BR /><BR /> &lt;LINK&gt;&lt;![CDATA[<A href="http://www.exploit-db.com/exploits/18296%5D%5D&gt;&lt;/LINK">http://www.exploit-db.com/exploits/18296]]&amp;gt;&amp;lt;/LINK</A>&gt;<BR /><BR /> &lt;/EXPLT&gt;<BR /><BR /> &lt;EXPLT&gt;<BR /><BR /> &lt;REF&gt;&lt;![CDATA[CVE-2011-4885]]&gt;&lt;/REF&gt;<BR /><BR /> &lt;DESC&gt;&lt;![CDATA[PHP Hash Table Collision Proof Of Concept - The Exploit-DB Ref : 18305]]&gt;&lt;/DESC&gt;<BR /><BR /> &lt;LINK&gt;&lt;![CDATA[<A href="http://www.exploit-db.com/exploits/18305%5D%5D&gt;&lt;/LINK">http://www.exploit-db.com/exploits/18305]]&amp;gt;&amp;lt;/LINK</A>&gt;<BR /><BR /> &lt;/EXPLT&gt;<BR /><BR /> &lt;EXPLT&gt;<BR /><BR /> &lt;REF&gt;&lt;![CDATA[CVE-2011-4153]]&gt;&lt;/REF&gt;<BR /><BR /> &lt;DESC&gt;&lt;![CDATA[PHP 5.3.8 Multiple Vulnerabilities - The Exploit-DB Ref : 18370]]&gt;&lt;/DESC&gt;<BR /><BR /> &lt;LINK&gt;&lt;![CDATA[<A href="http://www.exploit-db.com/exploits/18370%5D%5D&gt;&lt;/LINK">http://www.exploit-db.com/exploits/18370]]&amp;gt;&amp;lt;/LINK</A>&gt;<BR /><BR /> &lt;/EXPLT&gt;<BR /><BR /> &lt;EXPLT&gt;<BR /><BR /> &lt;REF&gt;&lt;![CDATA[CVE-2011-4885]]&gt;&lt;/REF&gt;<BR /><BR /> &lt;DESC&gt;&lt;![CDATA[MyBulletinBoard (MyBB) &lt;= 1.1.5 (CLIENT-IP) SQL Injection Exploit - The Exploit-DB Ref : 2012]]&gt;&lt;/DESC&gt;<BR /><BR /> &lt;LINK&gt;&lt;![CDATA[<A href="http://www.exploit-db.com/exploits/2012%5D%5D&gt;&lt;/LINK">http://www.exploit-db.com/exploits/2012]]&amp;gt;&amp;lt;/LINK</A>&gt;<BR /><BR /> &lt;/EXPLT&gt;<BR /><BR /> &lt;EXPLT&gt;<BR /><BR /> &lt;REF&gt;&lt;![CDATA[CVE-2012-0781]]&gt;&lt;/REF&gt;<BR /><BR /> &lt;DESC&gt;&lt;![CDATA[PHP 5.3.8 Multiple Vulnerabilities - The Exploit-DB Ref : 18370]]&gt;&lt;/DESC&gt;<BR /><BR /> &lt;LINK&gt;&lt;![CDATA[<A href="http://www.exploit-db.com/exploits/18370%5D%5D&gt;&lt;/LINK">http://www.exploit-db.com/exploits/18370]]&amp;gt;&amp;lt;/LINK</A>&gt;<BR /><BR /> &lt;/EXPLT&gt; </P> <P>My transforms.conf looks like: </P> <P>[qualys_exploit]<BR /><BR /> REGEX = (?mis)(&amp;lt;EXPLT&amp;gt;.*&amp;lt;/EXPLT&amp;gt;)<BR /><BR /> FORMAT = qualys_exploit::$1<BR /><BR /> MV_ADD = true </P> <P>props.conf: </P> <P>REPORT-qualys_exploit = qualys_exploit </P> <P>Splunk is taking everything between the first opening EXPLT tag and last closing EXPLT tag and making it a single event. What am I doing wrong that it's not treating these as multiple individual events?</P> <P>Thx.</P> <P>C </P> Sun, 01 Jul 2012 00:16:42 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-XML-extraction-not-working/m-p/87820#M22436 responsys_cm 2012-07-01T00:16:42Z https://community.splunk.com/t5/Splunk-Search/Multivalue-XML-extraction-not-working/m-p/87821#M22437 <P>The quantifier * in the REGEX is greedy, so the expression . * is eating up all the chars before the last &lt;/EXPLT&gt;<BR /> Try adding a ? after the * to make it non-greedy, so the regex "stops" at the next &lt;/EXPLT&gt;, not the last.</P> <P>REGEX = (?mis)(&lt;EXPLT&gt;.*?&lt;/EXPLT&gt;)</P> Wed, 18 Jul 2012 10:21:39 GMT https://community.splunk.com/t5/Splunk-Search/Multivalue-XML-extraction-not-working/m-p/87821#M22437 andreas 2012-07-18T10:21:39Z