XML tags extraction at index time

Getting Data In

Hello,

I am trying to create some fields at index time from an XML log.

I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following:

[xmlkv_extract]
REGEX=\<(.*?)\>(.*?)\<
FORMAT = $1::$2
WRITE_META = true

[xmlkv_extract_new]
REGEX = <email>(.*?)<\/email><ccard>(.*?)<\/ccard><company>(.*?)<\/company><city>(.*?)<\/city>
FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4"
WRITE_META = True

and this my sample event:

<email>orci.Phasellus.dapibus@egestasSed.ca</email><ccard>4539599637112700</ccard><city>Hamilton</city><company>Eros Proin LLC</company></fst>

Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok.

Is there some limitation in the index-time field extraction about the "generic" xml tags extraction?

thanks

Fausto

Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Are you a member of the Splunk Community?