I am using the whois add on and the results from the add-on are a single field that is an xml string.
I would like to parse the xml string to retrieve fields to add to my results. Is this possible?
Have you tried using xmlkv
in your search?
Ideally, the KV_MODE
in the props.conf should bet set to xml.
your search | xmlkv
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Xmlkv
If the XML has nested values, you could try using spath
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Spath
Here is what I am running:
(dest = 162.248.150.* OR 192.168.*.* ) AND src_ip != 192.168.*.* AND src_ip=184.168.152.52 | stats count by src_ip | sort -count | lookup whoisLookup ip as src_ip | spath path=WhoisRecord.RegistryData.Registrant output=Country input=whois
and sample output:
src_ip count Country whois
184.168.152.52 4814 ['<WhoisRecord xmlns="http://adam.kahtava.com/services/whois" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><DomainName>184.168.152.52</DomainName><RegistryData><AbuseContact><Email>abuse@godaddy.com</Email><Name>Abuse Department</Name><Phone>+1-480-624-2505</Phone></AbuseContact><AdministrativeContact><Email>noc@godaddy.com</Email><Name>Network Operations Center</Name><Phone>+1-480-505-8809</Phone></AdministrativeContact><BillingContact i:nil="true"/><CreatedDate>2010-09-21T11:16:05-04:00</CreatedDate><RawText i:nil="true"/><Registrant><Address>14455 N Hayden Road
, Suite 226</Address><City>Scottsdale</City><Country>US</Country><Name>GoDaddy.com, LLC</Name><PostalCode>85260</PostalCode><StateProv>AZ</StateProv></Registrant><TechnicalContact><Email>noc@godaddy.com</Email><Name>Network Operations Center</Name><Phone>+1-480-505-8809</Phone></TechnicalContact><UpdatedDate>2014-02-25T18:37:10-05:00</UpdatedDate><ZoneContact i:nil="true"/></RegistryData></WhoisRecord>']
I found the spath function after posting the question, however, I have not been successful in getting it to extract any data. I am not sure if I have incorrect syntax or what is going on.
Any insight would be appreciated.
Thanks
Shawn
Going off Pochichen, try this:
(dest = 162.248.150.* OR 192.168.*.* ) AND src_ip != 192.168.*.* AND src_ip=184.168.152.52 | stats count by src_ip | sort -count |lookup whoisLookup ip AS src_ip| eval whois = substr(whois, 3, len(whois)-3)| spath path=WhoisRecord.RegistryData.Registrant.Country output=Country input=whois
Or do get all the fields:
(dest = 162.248.150.* OR 192.168.. ) AND src_ip != 192.168.. AND src_ip=184.168.152.52 | stats count by src_ip | sort -count |lookup whoisLookup ip AS src_ip| eval whois = substr(whois, 3, len(whois)-3)| spath input=whois
substring the value in whois field to make it starts with <WhoisRecord not [