Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Windows event log XML not parsing with KV_MODE = x...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows event log XML not parsing with KV_MODE = xml
I have made the following change to a forwarder to send JUST applocker data as XML:
[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
renderXml=1
[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
renderXml=1
I am able to parse the field values if I use | xmlkv, but when adding KV_MODE = xml to the props.conf on the forwarder (like so):
[XmlWinEventLog:Microsoft-Windows-AppLocker/EXE and DLL]
KV_MODE = xml
I do not get parsed results in Splunk. Am I missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the same parsing issue like you using the KV_MODE parameter but i found the cause and the solution
Tested on splunk enterprise 9.2.1, in the props.conf, you should specify the source field and value in the stanza like this:
[source::WinEventLog]
KV_MODE = xml
NB: you can adapt the source value to match to you logs source value
***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).
https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html
I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:
e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
Maybe somebody can comment on this issue? But the above solution works perfectly for me.
Have a good day.
Ben
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KV_MODE is a search-time field extractor, so it will need to go in props.conf on your search head instead of the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've added the KV_MODE section to prop.conf (the one in %SPLUNK_Home%\etc\system\local) on my search head and restarted but I am still getting the same results. The fields are not getting extracted. Any other idea?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
