XML tags extraction at index time

Getting Data In

Hello,

I am trying to create some fields at index time from an XML log.

I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following:

[xmlkv_extract]
REGEX=\<(.*?)\>(.*?)\<
FORMAT = $1::$2
WRITE_META = true

[xmlkv_extract_new]
REGEX = <email>(.*?)<\/email><ccard>(.*?)<\/ccard><company>(.*?)<\/company><city>(.*?)<\/city>
FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4"
WRITE_META = True

and this my sample event:

<email>orci.Phasellus.dapibus@egestasSed.ca</email><ccard>4539599637112700</ccard><city>Hamilton</city><company>Eros Proin LLC</company></fst>

Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok.

Is there some limitation in the index-time field extraction about the "generic" xml tags extraction?

thanks

Fausto

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...