Splunk Search

Trying to extract these three fields from XML using regex

sphc
Explorer

Hi!
I can not extract three fields from xml using regex. Please tell me how it can be done

<VULN number="MP-413771" severity="5" cveid="CVE-2015-1762">

Thank you

P.S. Also there is lines like this:

 <VULN number="MP-413771" severity="5">

Does it work for everything?

0 Karma

niketn
Legend

@sphc, for extracting XML nodes you should try spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spat).
Unless you have turned on KV_MODE as xml for your data (which extracts XML nodes during search time field discovery), you should ideally write a rex to extract XML data and then apply spath on that to extract fields. Following is a run anywhere search based on your examples:

| makeresults
| eval _raw="<VULN number=\"MP-413771\" severity=\"5\" cveid=\"CVE-2015-1762\">"
| append
   [| makeresults
| eval _raw="<VULN number=\"MP-413771\" severity=\"5\">"]
| spath
| table VULN*
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Richfez
SplunkTrust
SplunkTrust

I'm surprised they weren't auto-extracted.

But, in one rex:

... | rex "number=\"(?<vuln_number>[^"]*)\"\s+severity=\"(?<vuln_severity>[^"]*)\"(\s+cveid=\"(?<vuln_cve>[^"]*)\")?"

Or as three easy ones so you can use just the ones you want.

... | rex "number=\"(?<vuln_number>[^"]*)\"" | rex "severity=\"(?<vuln_severity>[^"]*)\"" | rex "cveid=\"(?<vuln_cve>[^"]*)\""

Give those a try.

Happy Splunking!
-Rich

Richfez
SplunkTrust
SplunkTrust

Edited post - silly me forgot the opening/closing quotes on some. You can see the regex101 stuff here:
https://regex101.com/r/A3liy0/1 (That's what I was copying that I just did a FAIL on the adding quotes back in).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...