Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

XML fields and multivalues

tjohnston2
Splunk Employee
Splunk Employee
‎06-03-2010 12:25 AM

I am trying to search on the name field by scap-id in the following data. When I search against it Splunk returns one value for the name and throws out the rest. How do I make name a multivalued field. I have included a dataset and my props.conf and transforms.conf.

<controls scap-id='CVE-2010-1241'>
    <control internal-id='8081023'>
      <name>Updates for Windows Applications::Adobe Reader 8.2.2 Available - Adobe Reader 8.2.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='8081024'>
      <name>Updates for Windows Applications::Adobe Reader 8.2.2 Available - Adobe Reader 8.2.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='8091029'>
      <name>Updates for Windows Applications::Adobe Reader 9.3.2 Available - Adobe Reader 9.3/9.3.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>3</passed>
        <failed>1</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='8091030'>
      <name>Updates for Windows Applications::Adobe Reader 9.3.2 Available - Adobe Reader 9.3/9.3.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9081021'>
      <name>Updates for Windows Applications::Adobe Acrobat 8.2.2 Available - Adobe Acrobat 8.2/8.2.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9081022'>
      <name>Updates for Windows Applications::Adobe Acrobat 8.2.2 Available - Adobe Acrobat 8.2/8.2.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9091019'>
      <name>Updates for Windows Applications::Adobe Acrobat 9.3.2 Available - Adobe Acrobat 9.3/9.3.1</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
    <control internal-id='9091020'>
      <name>Updates for Windows Applications::Adobe Acrobat 9.3.2 Available - Adobe Acrobat 9.3/9.3.1 (French)</name>
      <release-date>Tue, 13 Apr 2010</release-date>
      <statistics>
        <scanned>4</scanned>
        <passed>4</passed>
        <failed>0</failed>
        <patched>0</patched>
        <mean-patch-time-hours>NaN</mean-patch-time-hours>
      </statistics>
      <exceptions>
        <has-exception>false</has-exception>
        <use-exception>true</use-exception>
        <exempt-count>0</exempt-count>
      </exceptions>
    </control>
  </controls>

props.conf

[bigfix]
#TIME_PREFIX = <Extended_Timestamp>
#MAX_TIMESTAMP_LOOKAHEAD = 200
#MUST_BREAK_AFTER = </controls>
#BREAK_ONLY_BEFORE_DATE = false
#SHOULD_LINEMERGE = true
#LINE_BREAKER = \>\s*(?=\<control\>)
BREAK_ONLY_BEFORE = <controls\sscap-id
REPORT-bigfix = xml-bigfix

transforms.conf

[xml-bigfix]
MV_ADD = true
Tags (1)
0 Karma
Reply

mjyates
New Member
‎02-01-2011 11:42 PM

Can you verify this works?? My transforms.conf looks like this

[xmlkv_multivalue] REGEX = <(.?)(?:\s[^>])?>([^<]*) FORMAT = $1::$2 MV_ADD = true

[xml_bigfix] REGEX = /])?/>([^\<])\<\/name

and when I search I pipe to either on the search line and get only one value per xml pair not multiples as advertised...

0 Karma
Reply

tjohnston2
Splunk Employee
Splunk Employee
‎06-03-2010 01:27 PM

Thanks I would now like a tabular report which looks like this

scap_id
name
name
name
etc...

I can't seem to figure it out. I have tried stats list(name) by scap_id, stats values(name) by scap_id. Help

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-03-2010 12:46 AM 
[xml-bigfix]
REGEX = /<name(?:\s[^\>]*)?/>([^\<]*)\<\/name
0 Karma
Reply

Paolo_Prigione
Builder
‎07-15-2010 08:31 AM

If you don't mind having many lines for each sscap-id: first expand the multivalued field to multiple events, then use table: "... | mvexpand name | table _time scap-id name"

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-01-2010 06:38 AM

Sounds like you want "chart count over scap_id by name"

0 Karma
Reply

tjohnston2
Splunk Employee
Splunk Employee
‎06-03-2010 01:28 PM

Thanks I would now like a tabular report which looks like this scap_id name name name etc... I can't seem to figure it out. I have tried stats list(name) by scap_id, stats values(name) by scap_id. Help

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...