Solved: How to edit my transforms.conf xml field extractio...

packet_hunter · ‎01-26-2017

Hi,
I am not finding any previous posts that answer my question so here it is.

I have a security appliance that sends XML alerts to Splunk.

in my props.conf file I have

[sec_app_xml]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(^\<\?xml.*\<\/alerts\>$)

now I would like extract all values from between the tags for example

<smtp-header>  blah blah blah ... etc ...</smtp-header>

so that I get the field smtp_header and the value contained between the xml tags.

I started a Transforms.conf

#XML field extractions
[sec_app_xml]

but I have had no luck with a regex?

Please advise, Thank you.

somesoni2 · ‎01-26-2017

I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).

props.conf

[yoursourcetype]
KV_MODE= xml

somesoni2 · ‎01-26-2017

I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).

props.conf

[yoursourcetype]
KV_MODE= xml

packet_hunter · ‎01-26-2017

It works Thank you

How to edit my transforms.conf xml field extraction?