Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need to parse Bluecoat VPM-XML file. this is not a XML format

danje57
Path Finder
‎04-02-2020 02:30 AM

Dear all,

I need your help as I need to parse a file generated by bluecoat, wich contain data relative to our web proxy policy.

The format is like this:

;; CPL generated by Visual Policy Manager: [Thu Mar 26 14:00:04 CET 2020]
;*************************************************************
; WARNING:
;     THIS FILE IS AUTOMATICALLY GENERATED - DO NOT EDIT!
;     ANY MANUAL CHANGES TO THIS FILE WILL BE LOST WHEN VPM
;     POLICY IS REINSTALLED.
;*************************************************************


define category "Blacklisted"
    isdsdsd.com
    *sdsds.com
end category "Blacklisted"

define condition __GROUP5
    realm=admin group="admonui"
end condition __GROUP5

define condition __GROUP7
    realm=admin group="user1"
end condition __GROUP7

define condition __GROUP25
    realm=blablablabla"
end condition __GROUP25

define condition __GROUP28
    realm=bliblibli
end condition __GROUP28

;; Description:
define condition __CondList1
    url.domain="*ecurity.com"
    url.domain="sdsds*ecurity.com"
end condition __CondList1

It seams that value are between words:
define XXXXX and end XXXXX

We cannot predict the XXXX

However XXXXX are the same to start with define and end for example
define MY_OWN_Policy
value1="dsdsds"
value2="fdfdfdfd"
end MY_OWN_Policy

In addition, comments are allowed using ;; before the define statement.

Do you have idea on how to parse such format?

Regards

0 Karma
Reply

danje57
Path Finder
‎04-02-2020 04:57 AM

Thanks to4kawa,

There is no way to create a source type instead to parse inline the file?

Indeed the file has 300line like this.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-02-2020 02:22 PM

make transforms.conf with REGEX and FORMAT
good luck

0 Karma
Reply

to4kawa
Ultra Champion
‎04-02-2020 03:02 AM 
|makeresults
| eval _raw=" ;; CPL generated by Visual Policy Manager: [Thu Mar 26 14:00:04 CET 2020]
 ;*************************************************************
 ; WARNING:
 ;     THIS FILE IS AUTOMATICALLY GENERATED - DO NOT EDIT!
 ;     ANY MANUAL CHANGES TO THIS FILE WILL BE LOST WHEN VPM
 ;     POLICY IS REINSTALLED.
 ;*************************************************************


 define category \"Blacklisted\"
     isdsdsd.com
     *sdsds.com
 end category \"Blacklisted\"

 define condition __GROUP5
     realm=admin group=\"admonui\"
 end condition __GROUP5

 define condition __GROUP7
     realm=admin group=\"user1\"
 end condition __GROUP7

 define condition __GROUP25
     realm=blablablabla\"
 end condition __GROUP25

 define condition __GROUP28
     realm=bliblibli
 end condition __GROUP28

 ;; Description:
 define condition __CondList1
     url.domain=\"*ecurity.com\"
     url.domain=\"sdsds*ecurity.com\"
 end condition __CondList1"
 | rex max_match=0 "(?ms)define (category|condition) (\"|__)(?<fieldname>\w+)[\"\s]+(?<fieldvalue>.*?)end"
 | rex field=fieldvalue mode=sed "s/\s+/ /g"
 | eval counter=mvrange(0,mvcount(fieldname))
 | stats list(field*) as field* by counter
 | foreach field* [ eval <<FIELD>> = mvindex('<<FIELD>>', counter) ]
 | eval {fieldname} = fieldvalue
 | fields - counter field*
 | stats values(*) as *
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...