Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I pull multiple events in a large XML file

scottrunyon
Contributor
‎09-12-2018 11:02 AM

Our vulnerability scanner is only able to provide XML output and i would like to get this into Splunk. The problem I am running into is that each system can have multiple events called audits. I would like to know how to set up the BREAK_ONLY_BEFORE and MUST_BREAK_AFTER parameters to match the audits to each system.

Data format is

`

<host>
  <ip>10.12.60.24</ip>
  <audit>
    <cve>CVE-1</cve>
  </audit>
  <audit>
    <cve>CVE-2</cve>
   </audit>
</host>

  <ip>10.12.60.25</ip>
  <audit>
    <cve>CVE-4</cve>
  </audit>
  <audit>
    <cve>CVE-8</cve>
  </audit>
</host>

`

I would then be able to generate a table that would look like this

System Audit1 Audit2

10.12.60.24 CVE-1 CVE-2
10.12.60.24 CVE-4 CVE-8

Regards,
Scott

Tags (2)
0 Karma
Reply

jplumsdaine22
Influencer
‎09-17-2018 06:27 AM

Unfortunately you cannot break the events the way you're hoping, however taking an event like <host> <ip>10.12.60.24</ip> <audit> <cve>CVE-1</cve> </audit> <audit> <cve>CVE-2</cve> </audit> </host> you have a few options at search time to extract the data how you want, however that will depend a bit on the structure of the log. For example, are there always two audit events? Or can there be multiple events?

0 Karma
Reply

scottrunyon
Contributor
‎09-17-2018 12:31 PM

There can be dozens of audit events per IP with no consistency between them. What I am saying is that IP 10.12.60.24 can have 30 cves, 10.12.60.25 can have 56 cves, 10.12.60.26 can have 4 cves and 10.12.60.25 can have 100 cves. I am thinking that I might have to run a report that takes in the indexed data that I do a BREAK on IP, have that ouput a csv file and try and extract the cves that way.

0 Karma
Reply

sudosplunk
Motivator
‎09-13-2018 11:05 AM

I am little confused,
Do you want to break events at <audit> tag? This will give you many single line events like <audit> <cve>CVE-1</cve> </audit>, <audit> <cve>CVE-2</cve> </audit>. OR do you want to extract values of <cve> between audit tags?

Please explain further if I misinterpreted your question.

0 Karma
Reply

scottrunyon
Contributor
‎09-17-2018 06:01 AM

The format of the file didn't quite come out the way I wanted, so it is a little hard to visualize. I would like to extract the values of for each . The problem I am running into is if I do the break at , the sections aren't broken up and all the data is one big line that can have dozens of CVEs, with each host having different outputs. When I break at the , this loses the pointer back to the . Is there a way to do "nested" breaks?

Thanks,

Scott

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top