Hello Splunkers,
I have following data showing in one of the field like "info" in Splunk. so my QS is there any way i can extract more fields using eval statements etc adding to props or transforms file just below data.
14VIOL_HTTP_PROTOCOL2
2sggyyeyryryrrxgvy=
does your props has KV_MODE = xml or INDEXED_EXTRACTIONS = xml for field extraction
we dont have that but i dont want to add KV_mode=xml since all the data is not in xml format except the above field all data is not in xml format.
FYI - we just disabled with KV_MODE = none in props
Can you post your props looks like ?
Please post a snippet of your xml data
sorry added now.