Hey, that SPL is good. But it have 99 Data section and getting Regex backlag errors on Regex101. Currently I make it like [test_xmldata_to_fields]
SOURCE_KEY = EventData_Xml
REGEX = (?ms)<Data>(.*...
See more...
Hey, that SPL is good. But it have 99 Data section and getting Regex backlag errors on Regex101. Currently I make it like [test_xmldata_to_fields]
SOURCE_KEY = EventData_Xml
REGEX = (?ms)<Data>(.*?)<\/Data>
FORMAT = test_data::$1
MV_ADD = 1 And then (dirty one, but it's working for start) EVAL-t_process_name=mvindex(test_data,0) EVAL-t_signature_name=mvindex(test_data,1) EVAL-t_binary_description=mvindex(test_data,2) Regarding the <Data> field, does it always have the same format (process_name, signature_name,binary_description)? * Yes Sourcetype, I create my own and just using Splunk_TA_Windows for initial report to extract Data_Xml. Basically, it's new Sourcetype and can do transform, props as I like.