Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows event log XML not parsing with KV_MODE = xml

jpolcari
Communicator
‎09-12-2016 11:19 AM

I have made the following change to a forwarder to send JUST applocker data as XML:

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=1

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml=1

I am able to parse the field values if I use | xmlkv, but when adding KV_MODE = xml to the props.conf on the forwarder (like so):

[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
KV_MODE = xml

I do not get parsed results in Splunk. Am I missing something?

Reply

amara
Observer
‎11-09-2024 04:23 PM

I got the same parsing issue like you using the KV_MODE parameter  but  i found the cause and the solution

Tested on splunk enterprise 9.2.1, in the props.conf,  you should specify the source field and value in the stanza like this:

[source::WinEventLog]
KV_MODE = xml

 

NB: you can adapt the source value to match to you logs source value

***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***

Tags (2)
0 Karma
Reply

benlc
Path Finder
‎02-23-2017 06:31 AM

I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).

https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html

I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:

e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data

Maybe somebody can comment on this issue? But the above solution works perfectly for me.

Have a good day.
Ben

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎09-12-2016 01:48 PM

KV_MODE is a search-time field extractor, so it will need to go in props.conf on your search head instead of the forwarder.

0 Karma
Reply

jpolcari
Communicator
‎09-13-2016 05:50 AM

I've added the KV_MODE section to prop.conf (the one in %SPLUNK_Home%\etc\system\local) on my search head and restarted but I am still getting the same results. The fields are not getting extracted. Any other idea?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...