Hi,
I am not finding any previous posts that answer my question so here it is.
I have a security appliance that sends XML alerts to Splunk.
in my props.conf file I have
[sec_app_xml]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(^\<\?xml.*\<\/alerts\>$)
now I would like extract all values from between the tags for example
<smtp-header> blah blah blah ... etc ...</smtp-header>
so that I get the field smtp_header and the value contained between the xml tags.
I started a Transforms.conf
#XML field extractions
[sec_app_xml]
but I have had no luck with a regex?
Please advise, Thank you.
I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).
props.conf
[yoursourcetype]
KV_MODE= xml
I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).
props.conf
[yoursourcetype]
KV_MODE= xml
It works Thank you