Splunk Search

How to edit my transforms.conf xml field extraction?

packet_hunter
Contributor

Hi,
I am not finding any previous posts that answer my question so here it is.

I have a security appliance that sends XML alerts to Splunk.

in my props.conf file I have

[sec_app_xml]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(^\<\?xml.*\<\/alerts\>$)

now I would like extract all values from between the tags for example

<smtp-header>  blah blah blah ... etc ...</smtp-header>

so that I get the field smtp_header and the value contained between the xml tags.

I started a Transforms.conf

#XML field extractions
[sec_app_xml]

but I have had no luck with a regex?

Please advise, Thank you.

0 Karma
1 Solution

somesoni2
Revered Legend

I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).

props.conf

[yoursourcetype]
KV_MODE= xml

See this: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Automatickey-valuefieldextractionsatsear...

View solution in original post

0 Karma

somesoni2
Revered Legend

I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).

props.conf

[yoursourcetype]
KV_MODE= xml

See this: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Automatickey-valuefieldextractionsatsear...

0 Karma

packet_hunter
Contributor

It works Thank you

0 Karma
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...