Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to edit my transforms.conf xml field extraction?

packet_hunter
Contributor
โ€Ž01-26-2017 01:34 PM

Hi,
I am not finding any previous posts that answer my question so here it is.

I have a security appliance that sends XML alerts to Splunk.

in my props.conf file I have 

[sec_app_xml]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)(^\<\?xml.*\<\/alerts\>$)

now I would like extract all values from between the tags for example

<smtp-header>  blah blah blah ... etc ...</smtp-header>

so that I get the field smtp_header and the value contained between the xml tags.

I started a Transforms.conf

#XML field extractions
[sec_app_xml]

but I have had no luck with a regex?

Please advise, Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
โ€Ž01-26-2017 02:47 PM

I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).

props.conf

[yoursourcetype]
KV_MODE= xml

See this: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Automatickey-valuefieldextractionsatsear...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
โ€Ž01-26-2017 02:47 PM

I believe you need to setup KV_MODe=xml for your sourcetype in your search head (for search time field extractions).

props.conf

[yoursourcetype]
KV_MODE= xml

See this: http://docs.splunk.com/Documentation/Splunk/6.5.2/Knowledge/Automatickey-valuefieldextractionsatsear...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
โ€Ž01-26-2017 03:00 PM

It works Thank you

0 Karma
Reply