Dashboards & Visualizations

How do I pull multiple events in a large XML file

scottrunyon
Contributor

Our vulnerability scanner is only able to provide XML output and i would like to get this into Splunk. The problem I am running into is that each system can have multiple events called audits. I would like to know how to set up the BREAK_ONLY_BEFORE and MUST_BREAK_AFTER parameters to match the audits to each system.

Data format is

`

<host>
  <ip>10.12.60.24</ip>
  <audit>
    <cve>CVE-1</cve>
  </audit>
  <audit>
    <cve>CVE-2</cve>
   </audit>
</host>

  <ip>10.12.60.25</ip>
  <audit>
    <cve>CVE-4</cve>
  </audit>
  <audit>
    <cve>CVE-8</cve>
  </audit>
</host>

`

I would then be able to generate a table that would look like this

System Audit1 Audit2

10.12.60.24 CVE-1 CVE-2
10.12.60.24 CVE-4 CVE-8

Regards,
Scott

Tags (2)
0 Karma

jplumsdaine22
Influencer

Unfortunately you cannot break the events the way you're hoping, however taking an event like <host> <ip>10.12.60.24</ip> <audit> <cve>CVE-1</cve> </audit> <audit> <cve>CVE-2</cve> </audit> </host> you have a few options at search time to extract the data how you want, however that will depend a bit on the structure of the log. For example, are there always two audit events? Or can there be multiple events?

0 Karma

scottrunyon
Contributor

There can be dozens of audit events per IP with no consistency between them. What I am saying is that IP 10.12.60.24 can have 30 cves, 10.12.60.25 can have 56 cves, 10.12.60.26 can have 4 cves and 10.12.60.25 can have 100 cves. I am thinking that I might have to run a report that takes in the indexed data that I do a BREAK on IP, have that ouput a csv file and try and extract the cves that way.

0 Karma

sudosplunk
Motivator

I am little confused,
Do you want to break events at <audit> tag? This will give you many single line events like <audit> <cve>CVE-1</cve> </audit>, <audit> <cve>CVE-2</cve> </audit>. OR do you want to extract values of <cve> between audit tags?

Please explain further if I misinterpreted your question.

0 Karma

scottrunyon
Contributor

The format of the file didn't quite come out the way I wanted, so it is a little hard to visualize. I would like to extract the values of for each . The problem I am running into is if I do the break at , the sections aren't broken up and all the data is one big line that can have dozens of CVEs, with each host having different outputs. When I break at the , this loses the pointer back to the . Is there a way to do "nested" breaks?

Thanks,

Scott

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...