XML tags extraction at index time

Getting Data In

Hello,

I am trying to create some fields at index time from an XML log.

I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following:

[xmlkv_extract]
REGEX=\<(.*?)\>(.*?)\<
FORMAT = $1::$2
WRITE_META = true

[xmlkv_extract_new]
REGEX = <email>(.*?)<\/email><ccard>(.*?)<\/ccard><company>(.*?)<\/company><city>(.*?)<\/city>
FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4"
WRITE_META = True

and this my sample event:

<email>orci.Phasellus.dapibus@egestasSed.ca</email><ccard>4539599637112700</ccard><city>Hamilton</city><company>Eros Proin LLC</company></fst>

Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok.

Is there some limitation in the index-time field extraction about the "generic" xml tags extraction?

thanks

Fausto

Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...

Are you a member of the Splunk Community?