Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows event log XML not parsing with KV_MODE = xml

jpolcari
Communicator
‎09-12-2016 11:19 AM

I have made the following change to a forwarder to send JUST applocker data as XML:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=1

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml=1

I am able to parse the field values if I use | xmlkv, but when adding KV_MODE = xml to the props.conf on the forwarder (like so):

[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
KV_MODE = xml

I do not get parsed results in Splunk. Am I missing something?

Reply

amara
Observer
‎11-09-2024 04:23 PM

I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution

Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field and value in the stanza like this:

[source::WinEventLog]
KV_MODE = xml

 

NB: you can adapt the source value to match to you logs source value

***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***

Tags (2)
0 Karma
Reply

benlc
Path Finder
‎02-23-2017 06:31 AM

I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).

https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html

I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:

e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data

Maybe somebody can comment on this issue? But the above solution works perfectly for me.

Have a good day.
Ben

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-12-2016 01:48 PM

KV_MODE is a search-time field extractor, so it will need to go in props.conf on your search head instead of the forwarder.

0 Karma
Reply

jpolcari
Communicator
‎09-13-2016 05:50 AM

I've added the KV_MODE section to prop.conf (the one in %SPLUNK_Home%\etc\system\local) on my search head and restarted but I am still getting the same results. The fields are not getting extracted. Any other idea?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...