Dashboards & Visualizations

How do I parse AppLocker Windows Event Log? renderXml works, KV_mode = xml does not [Applocker]

New Member

I've been able to get the data from the AppLocker log into Splunk. A search with the data source piped into | xmlkv results in the expected result. I am trying to get the data into separate fields so | xmlkv does not have to be used. I've entered KV_mode=xml in props.conf for the datasource, which does not work. I've also tried writing regex and transforms, but have not been successful with either. The end result I am going for is to have Splunk parse out the different fields. Plz....haaalp....I'm very new to Splunk and have been trying over the last few days to solve this.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
        <Provider Name='Microsoft-Windows-AppLocker' Guid='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'/>
        <TimeCreated SystemTime='2016-05-16T18:31:15.732349300Z'/>
        <Execution ProcessID='4164' ThreadID='5772'/>
        <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
        <Security UserID='S-0-0-00-0000000000-0000000000-00000000-000000'/>
        <RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/'>
            <RuleName>(Default Rule) All files located in the Windows folder</RuleName>
            <RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl>
0 Karma


Do you have the Splunk Add-on for Microsoft Windows ( https://splunkbase.splunk.com/app/742 ) installed on your Search Head?

It defines the following sourcetype stanza in props.conf which I believe should auto extract this for you (given that your sourcetype is "XmlWinEventLog:*"):


If this doesn't work out of the box with the add-on, could you try adding the following to SplunkTAwindows?


# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1


REPORT-1xml_kv_extract = userdata_props_xml_kv

This is untested in Splunk but I tested the regex in an online regex tool and I could see the fields extracted

0 Karma

Path Finder

Add below parameter in inputs.conf to render events in xml,
renderXml=true # this parameter will do trick.

0 Karma


I'm having the same exact issue. Were you able to solve this?

0 Karma