- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How do I pull multiple events in a large XML f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I pull multiple events in a large XML file
Our vulnerability scanner is only able to provide XML output and i would like to get this into Splunk. The problem I am running into is that each system can have multiple events called audits. I would like to know how to set up the BREAK_ONLY_BEFORE and MUST_BREAK_AFTER parameters to match the audits to each system.
Data format is
`
<host>
<ip>10.12.60.24</ip>
<audit>
<cve>CVE-1</cve>
</audit>
<audit>
<cve>CVE-2</cve>
</audit>
</host>
<ip>10.12.60.25</ip>
<audit>
<cve>CVE-4</cve>
</audit>
<audit>
<cve>CVE-8</cve>
</audit>
</host>
`
I would then be able to generate a table that would look like this
System Audit1 Audit2
10.12.60.24 CVE-1 CVE-2
10.12.60.24 CVE-4 CVE-8
Regards,
Scott
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately you cannot break the events the way you're hoping, however taking an event like <host> <ip>10.12.60.24</ip> <audit> <cve>CVE-1</cve> </audit> <audit> <cve>CVE-2</cve> </audit> </host> you have a few options at search time to extract the data how you want, however that will depend a bit on the structure of the log. For example, are there always two audit events? Or can there be multiple events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There can be dozens of audit events per IP with no consistency between them. What I am saying is that IP 10.12.60.24 can have 30 cves, 10.12.60.25 can have 56 cves, 10.12.60.26 can have 4 cves and 10.12.60.25 can have 100 cves. I am thinking that I might have to run a report that takes in the indexed data that I do a BREAK on IP, have that ouput a csv file and try and extract the cves that way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am little confused,
Do you want to break events at <audit> tag? This will give you many single line events like <audit> <cve>CVE-1</cve> </audit>, <audit> <cve>CVE-2</cve> </audit>. OR do you want to extract values of <cve> between audit tags?
Please explain further if I misinterpreted your question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The format of the file didn't quite come out the way I wanted, so it is a little hard to visualize. I would like to extract the values of for each . The problem I am running into is if I do the break at , the sections aren't broken up and all the data is one big line that can have dozens of CVEs, with each host having different outputs. When I break at the , this loses the pointer back to the . Is there a way to do "nested" breaks?
Thanks,
Scott
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
