Security

Multi Line Field Extraction for XML

SplunkDash
Motivator

Hello,

I have some issues to perform multi-line field extraction for XML, my in-line extraction is not getting any result; sample events and my in-line extraction are provided below. Any help would be appreciated. 

Sample Events:

<Event>

<ID>0123011</ID>

<Time>2023-10-28T05:22:37.97011</Time>

<Application_Name>Test</Application_Name>

<Host_Name>VS0SMADBEFT</Host_Name>

</Event>

<Event>

<ID>01232113</ID>

<Time>2023-10-28T05:22:37.99011</Time>

<Application_Name>Test</Application_Name>

<Host_Name>VS0SMADBEFT</Host_Name>

</Event>

 

In Line Extraction I Used

<ID>(?<ID>[^<]+)<\/ID>([\r\n]*)<Time>(?<Time>[^<]+)</Time>([\r\n]*)<Application_Name>(?<Application_Name>[^<]+)</Application_Name>([\r\n]*)<Host_Name>(?<Host_Name>[^<]+)</Host_Name>

 

 

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

To be fully honest, if your data is a well-formed XML, I'd just go for

KV_MODE=xml

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/Latest/Admin/Propsconf

* dotall (?s) and multi-line (?m) modifiers are added in front of the regex.
  So internally, the regex becomes (?ms)<regex>.

 So if your regex doesn't match, there might be something not 100% OK with it. It almost checks out on regex101 but it warns about possible necessity of escaping the included slashes. So I'd start with verifying that.

SplunkDash
Motivator

@PickleRick 

Thank you so much for your quick response. However, no changes.

I was trying to use props and transforms conf files, but not working as well

My props transforms

[myprops]

REPORT-mytrans_fields=mytrans_fields

[mytrans_fields]

REGEX=\<(\w+[^\n\/\>]+)\/?\>([^\<\n][^\<]*)

FORMAT=$1::$2

DEST_KEY=_raw

 

Any recommendations?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To be fully honest, if your data is a well-formed XML, I'd just go for

KV_MODE=xml
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...