Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting fields from XML

arunkuriakose
Explorer
‎02-03-2025 03:52 AM

i have a sample xml which looks like this

 

script_family>Amazon Linux Local Security Checks</script_family> <filename>al2023_ALAS2023-2025-816.nasl</filename> <script_version>1.1</script_version> <script_name>Amazon Linux 2023 : runfinch-finch (ALAS2023-2025-816)</script_name> <script_copyright>This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.</script_copyright> <script_id>214620</script_id> <cves> <cve>CVE-2024-45338</cve> <cve>CVE-2024-51744</cve> </cves> <bids> </bids> <xrefs> </xrefs> <preferences> </preferences> <dependencies> <dependency>ssh_get_info.nasl</dependency> </dependencies> <required_keys> <required_key>Host/local_checks_enabled</required_key> <required_key>Host/AmazonLinux/release</required_key> <required_key>Host/AmazonLinux/rpm-list</required_key> </required_keys> <excluded_keys> </excluded_keys> <required_ports> </required_ports> <required_udp_ports> </required_udp_ports> <attributes> <attribute> <name>exploitability_ease</name> <value>No known exploits are available</value> </attribute> <attribute> <name>cvss3_temporal_vector</name> <value>CVSS:3.0/E:U/RL:O/RC:C</value> </attribute> <attribute> <name>vuln_publication_date</name> <value>2024/11/04</value> </attribute> <attribute> <name>cpe</name> <value>p-cpe:/a:amazon:linux:runfinch-finch cpe:/o:amazon:linux:2023</value> </attribute> <attribute> <name>cvss3_vector</name> <value>CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N</value> </attribute


i want to extract few fields from search using spath or similar methods

field value payer should look somthing like

key                                                               value
exploitability_ease                             No known exploits are available

cvss3_temporal_vector                  CVSS:3.0/E:U/RL:O/RC:C

solution                                                    Run 'dnf update runfinch-finch --releasever 2023.6.20250123' to update 

 

 

 

i tried something similar to this but no luck

| spath input=_raw path="attributes.attribute[*].name" output=name
| spath input=_raw path="attributes.attribute[*].value" output=value
| table name value

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Influencer
‎02-03-2025 03:58 AM

I cant make out the full log example but please try the following updated SPL, which replaces [*] with {}

| spath input=_raw path="attributes.attribute{}.name" output=name
| spath input=_raw path="attributes.attribute{}.value" output=value
| table name value
0 Karma
Reply

arunkuriakose
Explorer
‎02-03-2025 04:03 AM

Hi @livehybrid 

 

thanks for quick response . Unfortunately this is not working , I am attaching a screenshot of the same log which might help to understand it better

 

arunkuriakose_0-1738584207735.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...
li.common.scroll-to.top