Trying to extract these three fields from XML usin...

sphc · ‎09-13-2017

Hi!
I can not extract three fields from xml using regex. Please tell me how it can be done

<VULN number="MP-413771" severity="5" cveid="CVE-2015-1762">

Thank you

P.S. Also there is lines like this:

 <VULN number="MP-413771" severity="5">

Does it work for everything?

niketn · ‎09-13-2017

@sphc, for extracting XML nodes you should try spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spat).
Unless you have turned on KV_MODE as xml for your data (which extracts XML nodes during search time field discovery), you should ideally write a rex to extract XML data and then apply spath on that to extract fields. Following is a run anywhere search based on your examples:

| makeresults
| eval _raw="<VULN number=\"MP-413771\" severity=\"5\" cveid=\"CVE-2015-1762\">"
| append
   [| makeresults
| eval _raw="<VULN number=\"MP-413771\" severity=\"5\">"]
| spath
| table VULN*

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Richfez · ‎09-13-2017

I'm surprised they weren't auto-extracted.

But, in one rex:

... | rex "number=\"(?<vuln_number>[^"]*)\"\s+severity=\"(?<vuln_severity>[^"]*)\"(\s+cveid=\"(?<vuln_cve>[^"]*)\")?"

Or as three easy ones so you can use just the ones you want.

... | rex "number=\"(?<vuln_number>[^"]*)\"" | rex "severity=\"(?<vuln_severity>[^"]*)\"" | rex "cveid=\"(?<vuln_cve>[^"]*)\""

Give those a try.

Happy Splunking!
-Rich

Richfez · ‎09-13-2017

Edited post - silly me forgot the opening/closing quotes on some. You can see the regex101 stuff here:
https://regex101.com/r/A3liy0/1 (That's what I was copying that I just did a FAIL on the adding quotes back in).

Trying to extract these three fields from XML using regex

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms