XML fields and multivalues

tjohnston2 — Thu, 03 Jun 2010 07:25:08 GMT

I am trying to search on the name field by scap-id in the following data. When I search against it Splunk returns one value for the name and throws out the rest. How do I make name a multivalued field. I have included a dataset and my props.conf and transforms.conf.

<controls scap-id='CVE-2010-1241'>
    <control internal-id='8081023'>
      <name>Updates for Windows Applications::Adobe Reader 8.2.2 Available - Adobe Reader 8.2.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='8081024'>
      <name>Updates for Windows Applications::Adobe Reader 8.2.2 Available - Adobe Reader 8.2.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='8091029'>
      <name>Updates for Windows Applications::Adobe Reader 9.3.2 Available - Adobe Reader 9.3/9.3.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>3</passed>
        <failed>1</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='8091030'>
      <name>Updates for Windows Applications::Adobe Reader 9.3.2 Available - Adobe Reader 9.3/9.3.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9081021'>
      <name>Updates for Windows Applications::Adobe Acrobat 8.2.2 Available - Adobe Acrobat 8.2/8.2.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9081022'>
      <name>Updates for Windows Applications::Adobe Acrobat 8.2.2 Available - Adobe Acrobat 8.2/8.2.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9091019'>
      <name>Updates for Windows Applications::Adobe Acrobat 9.3.2 Available - Adobe Acrobat 9.3/9.3.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9091020'>
      <name>Updates for Windows Applications::Adobe Acrobat 9.3.2 Available - Adobe Acrobat 9.3/9.3.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
  </controls>

props.conf

[bigfix]
#TIME_PREFIX = <Extended_Timestamp>
#MAX_TIMESTAMP_LOOKAHEAD = 200
#MUST_BREAK_AFTER = </controls>
#BREAK_ONLY_BEFORE_DATE = false
#SHOULD_LINEMERGE = true
#LINE_BREAKER = \>\s*(?=\<control\>)
BREAK_ONLY_BEFORE = <controls\sscap-id
REPORT-bigfix = xml-bigfix

transforms.conf

[xml-bigfix]
MV_ADD = true

Re: XML fields and multivalues

gkanapathy — Thu, 03 Jun 2010 07:46:16 GMT

[xml-bigfix]
REGEX = /<name(?:\s[^\>]*)?/>([^\<]*)\<\/name

Re: XML fields and multivalues

tjohnston2 — Mon, 28 Sep 2020 09:13:26 GMT

Thanks I would now like a tabular report which looks like this

scap_id
name
name
name
etc...

I can't seem to figure it out. I have tried stats list(name) by scap_id, stats values(name) by scap_id. Help

Re: XML fields and multivalues

tjohnston2 — Mon, 28 Sep 2020 09:13:28 GMT

Thanks I would now like a tabular report which looks like this scap_id name name name etc... I can't seem to figure it out. I have tried stats list(name) by scap_id, stats values(name) by scap_id. Help

Re: XML fields and multivalues

sideview — Thu, 01 Jul 2010 13:38:57 GMT

Sounds like you want "chart count over scap_id by name"

Re: XML fields and multivalues

Paolo_Prigione — Thu, 15 Jul 2010 15:31:44 GMT

If you don't mind having many lines for each sscap-id: first expand the multivalued field to multiple events, then use table: "... | mvexpand name | table _time scap-id name"

Re: XML fields and multivalues

mjyates — Wed, 02 Feb 2011 07:42:13 GMT

Can you verify this works?? My transforms.conf looks like this

[xmlkv_multivalue] REGEX = <(.?)(?:\s[^>])?>([^<]*) FORMAT = $1::$2 MV_ADD = true

[xml_bigfix] REGEX = /])?/>([^\<])\<\/name

and when I search I pipe to either on the search line and get only one value per xml pair not multiples as advertised...

topic Re: XML fields and multivalues in Getting Data In

XML fields and multivalues

Re: XML fields and multivalues

Re: XML fields and multivalues

Re: XML fields and multivalues

Re: XML fields and multivalues

Re: XML fields and multivalues

Re: XML fields and multivalues