I got the same parsing issue like you using the KV_MODE parameter but i found the cause and the solution Tested on splunk enterprise 9.2.1, in the props.conf, you should specify the source field and value in the stanza like this: [source::WinEventLog] KV_MODE = xml NB: you can adapt the source value to match to you logs source value ***Since the post is old, I hope this solution will be useful to those who encounter the problem again.***
... View more