All Apps and Add-ons

How to parse xml results from the whois add on?

burtsa
New Member

I am using the whois add on and the results from the add-on are a single field that is an xml string.
I would like to parse the xml string to retrieve fields to add to my results. Is this possible?

0 Karma

ktugwell_splunk
Splunk Employee
Splunk Employee

Have you tried using xmlkv in your search?

Ideally, the KV_MODE in the props.conf should bet set to xml.

your search | xmlkv

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Xmlkv

If the XML has nested values, you could try using spath

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Spath

0 Karma

burtsa
New Member

Here is what I am running:

(dest =  162.248.150.* OR 192.168.*.* ) AND src_ip != 192.168.*.* AND src_ip=184.168.152.52  | stats count  by src_ip | sort -count | lookup whoisLookup ip as src_ip | spath path=WhoisRecord.RegistryData.Registrant output=Country input=whois

and sample output:

src_ip  count   Country whois
184.168.152.52   4814       ['<WhoisRecord xmlns="http://adam.kahtava.com/services/whois" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><DomainName>184.168.152.52</DomainName><RegistryData><AbuseContact><Email>abuse@godaddy.com</Email><Name>Abuse Department</Name><Phone>+1-480-624-2505</Phone></AbuseContact><AdministrativeContact><Email>noc@godaddy.com</Email><Name>Network Operations Center</Name><Phone>+1-480-505-8809</Phone></AdministrativeContact><BillingContact i:nil="true"/><CreatedDate>2010-09-21T11:16:05-04:00</CreatedDate><RawText i:nil="true"/><Registrant><Address>14455 N Hayden Road&#xD;, Suite 226</Address><City>Scottsdale</City><Country>US</Country><Name>GoDaddy.com, LLC</Name><PostalCode>85260</PostalCode><StateProv>AZ</StateProv></Registrant><TechnicalContact><Email>noc@godaddy.com</Email><Name>Network Operations Center</Name><Phone>+1-480-505-8809</Phone></TechnicalContact><UpdatedDate>2014-02-25T18:37:10-05:00</UpdatedDate><ZoneContact i:nil="true"/></RegistryData></WhoisRecord>']

I found the spath function after posting the question, however, I have not been successful in getting it to extract any data. I am not sure if I have incorrect syntax or what is going on.
Any insight would be appreciated.

Thanks

Shawn

0 Karma

bkirk
Path Finder

Going off Pochichen, try this:

(dest =  162.248.150.* OR 192.168.*.* ) AND src_ip != 192.168.*.* AND src_ip=184.168.152.52  | stats count  by src_ip | sort -count  |lookup whoisLookup ip AS src_ip| eval whois = substr(whois, 3, len(whois)-3)| spath path=WhoisRecord.RegistryData.Registrant.Country output=Country input=whois

Or do get all the fields:
(dest = 162.248.150.* OR 192.168.. ) AND src_ip != 192.168.. AND src_ip=184.168.152.52 | stats count by src_ip | sort -count |lookup whoisLookup ip AS src_ip| eval whois = substr(whois, 3, len(whois)-3)| spath input=whois

0 Karma

pochichen
New Member

substring the value in whois field to make it starts with <WhoisRecord not [

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...