Solved: field value is being extracted as fieldname in reg...

michaelrosello · ‎07-18-2019

I am trying to extract xml fields using regex but I am encourtering this issue for this specific tags, It is working with other tags. I have tested my regex in regex101 and it is working properly. https://regex101.com/r/ivJjTE/1

In this example below, CrawlTraffic is being extracted properly, but CrawlTraffic value is also being extracted as a new field with "" as a value.

props.conf

[nexpose_appspider]
TRANSFORMS-null= setnull
BREAK_ONLY_BEFORE = <Vuln>
NO_BINARY_CHECK = true
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = <ScanDate>
MAX_TIMESTAMP_LOOKAHEAD = 19
TRUNCATE = 0
disabled = false
pulldown_type = true
REPORT-xmlext11 = xml-extr11

transforms.conf

[xml-extr11]
REGEX = <([^>]+)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = true
REPEAT_MATCH = true

[setnull]
REGEX = <VulnSummary>
DEST_KEY = queue
FORMAT = nullQueue

thomasroulet · ‎07-21-2019

Hello,

you should add KV_MODE=none in props.conf for nexpose_appspider sourcetype.
By default KV_MODE is set to auto.
It will ensure that splunk will not try to extract key=value pattern.
In your exemple the value of CrawlTraffic finishes by "=".
Splunk extracts the pattern. That's why the value is empty.

View solution in original post

thomasroulet · ‎07-21-2019

Hello,

you should add KV_MODE=none in props.conf for nexpose_appspider sourcetype.
By default KV_MODE is set to auto.
It will ensure that splunk will not try to extract key=value pattern.
In your exemple the value of CrawlTraffic finishes by "=".
Splunk extracts the pattern. That's why the value is empty.

field value is being extracted as fieldname in regex

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services