Hello, I am trying to create some fields at index time from an XML log. I prepared the sourcetype definition in the props.conf with the related TRANSFORM, and in the the transforms.conf I have the following: [xmlkv_extract]
REGEX=\<(.*?)\>(.*?)\<
FORMAT = $1::$2
WRITE_META = true
[xmlkv_extract_new]
REGEX = <email>(.*?)<\/email><ccard>(.*?)<\/ccard><company>(.*?)<\/company><city>(.*?)<\/city>
FORMAT = email::"$1" credit_card::"$2" company::"$3" city::"$4"
WRITE_META = True and this my sample event: <email>orci.Phasellus.dapibus@egestasSed.ca</email><ccard>4539599637112700</ccard><city>Hamilton</city><company>Eros Proin LLC</company></fst> Now, the problem is, if I use the first transform, only the email field is extracted (by the way I tried the regex in regex101 site and it worked with all the fields). If I use the second transform, everything is ok. Is there some limitation in the index-time field extraction about the "generic" xml tags extraction? thanks Fausto
... View more