@avery2007 if you are indexing the XML file to Splunk and have KV_MODE=xml set in the props.conf for the same then XML values should get extracted automatically. I have used spath command in the run anywhere example below to extract the same fields using SPL. You can use the commands from | rename ... if KV_MODE=xml is set.
| makeresults
| eval xmlData="<summRes:ruleResult ruleID=\"CVE-2000-1985\">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"15489\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1820\">
<summRes:ident>CVE-2000-1820</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"14560\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-4568\">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"13458\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1156\">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"12567\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-5641\">
<summRes:ident>CVE-2000-5641</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"11243\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1985\">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"900\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1156\">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"726\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-4568\">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"455\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>"
| spath input=xmlData
| fields - xmlData
| rename "summRes:ruleResult.summRes:ruleComplianceItem.summRes:result{@count}" as "count",
"summRes:ruleResult.summRes:ruleComplianceItem{@ruleResult}" as "ruleResult",
"summRes:ruleResult{@ruleID}" as "ruleID"
| eval data=mvzip(mvzip(ruleID,ruleResult),count)
| fields data
| mvexpand data
| makemv data delim=","
| eval ruleID=mvindex(data,0),
ruleResult=mvindex(data,1),
count=mvindex(data,2)
| table ruleID, ruleResult, count
... View more