- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I pull multiple events in a large XML file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I pull multiple events in a large XML file
Our vulnerability scanner is only able to provide XML output and i would like to get this into Splunk. The problem I am running into is that each system can have multiple events called audits. I would like to know how to set up the BREAK_ONLY_BEFORE and MUST_BREAK_AFTER parameters to match the audits to each system.
Data format is
`
<host>
<ip>10.12.60.24</ip>
<audit>
<cve>CVE-1</cve>
</audit>
<audit>
<cve>CVE-2</cve>
</audit>
</host>
<ip>10.12.60.25</ip>
<audit>
<cve>CVE-4</cve>
</audit>
<audit>
<cve>CVE-8</cve>
</audit>
</host>
`
I would then be able to generate a table that would look like this
System Audit1 Audit2
10.12.60.24 CVE-1 CVE-2
10.12.60.24 CVE-4 CVE-8
Regards,
Scott
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately you cannot break the events the way you're hoping, however taking an event like <host> <ip>10.12.60.24</ip> <audit> <cve>CVE-1</cve> </audit> <audit> <cve>CVE-2</cve> </audit> </host> you have a few options at search time to extract the data how you want, however that will depend a bit on the structure of the log. For example, are there always two audit events? Or can there be multiple events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There can be dozens of audit events per IP with no consistency between them. What I am saying is that IP 10.12.60.24 can have 30 cves, 10.12.60.25 can have 56 cves, 10.12.60.26 can have 4 cves and 10.12.60.25 can have 100 cves. I am thinking that I might have to run a report that takes in the indexed data that I do a BREAK on IP, have that ouput a csv file and try and extract the cves that way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am little confused,
Do you want to break events at <audit> tag? This will give you many single line events like <audit> <cve>CVE-1</cve> </audit>, <audit> <cve>CVE-2</cve> </audit>. OR do you want to extract values of <cve> between audit tags?
Please explain further if I misinterpreted your question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The format of the file didn't quite come out the way I wanted, so it is a little hard to visualize. I would like to extract the values of for each . The problem I am running into is if I do the break at , the sections aren't broken up and all the data is one big line that can have dozens of CVEs, with each host having different outputs. When I break at the , this loses the pointer back to the . Is there a way to do "nested" breaks?
Thanks,
Scott
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
