XML tags extraction at index time

Getting Data In

Hello,

I am trying to create some fields at index time from an XML log.

I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following:

[xmlkv_extract]
REGEX=\<(.*?)\>(.*?)\<
FORMAT = $1::$2
WRITE_META = true

[xmlkv_extract_new]
REGEX = <email>(.*?)<\/email><ccard>(.*?)<\/ccard><company>(.*?)<\/company><city>(.*?)<\/city>
FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4"
WRITE_META = True

and this my sample event:

<email>orci.Phasellus.dapibus@egestasSed.ca</email><ccard>4539599637112700</ccard><city>Hamilton</city><company>Eros Proin LLC</company></fst>

Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok.

Is there some limitation in the index-time field extraction about the "generic" xml tags extraction?

thanks

Fausto

Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Join the Conversation