I am trying to pull fields out of .xml file where I can make sense of them and put the info into a dashboard. I am trying to pull the ruleID, ruleResult, and result count out where they are relational to each other so I have (CVE#, Fail or Fixed, count#). I tried making new fields but Splunk doesn't see that these fields have any relation to each other and they just come up as individuals.
<summRes:ruleResult ruleID="CVE-2000-1985">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fail">
<summRes:result count="15489"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-1820">
<summRes:ident>CVE-2000-1820</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fail">
<summRes:result count="14560"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-4568">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fail">
<summRes:result count="13458"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-1156">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fail">
<summRes:result count="12567"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-5641">
<summRes:ident>CVE-2000-5641</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fail">
<summRes:result count="11243"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-1985">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fixed">
<summRes:result count="900"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-1156">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fixed">
<summRes:result count="726"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID="CVE-2000-4568">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult="fixed">
<summRes:result count="455"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
@avery2007 if you are indexing the XML file to Splunk and have KV_MODE=xml set in the props.conf for the same then XML values should get extracted automatically. I have used spath command in the run anywhere example below to extract the same fields using SPL. You can use the commands from | rename ...
if KV_MODE=xml
is set.
| makeresults
| eval xmlData="<summRes:ruleResult ruleID=\"CVE-2000-1985\">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"15489\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1820\">
<summRes:ident>CVE-2000-1820</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"14560\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-4568\">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"13458\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1156\">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"12567\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-5641\">
<summRes:ident>CVE-2000-5641</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"11243\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1985\">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"900\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1156\">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"726\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-4568\">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"455\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>"
| spath input=xmlData
| fields - xmlData
| rename "summRes:ruleResult.summRes:ruleComplianceItem.summRes:result{@count}" as "count",
"summRes:ruleResult.summRes:ruleComplianceItem{@ruleResult}" as "ruleResult",
"summRes:ruleResult{@ruleID}" as "ruleID"
| eval data=mvzip(mvzip(ruleID,ruleResult),count)
| fields data
| mvexpand data
| makemv data delim=","
| eval ruleID=mvindex(data,0),
ruleResult=mvindex(data,1),
count=mvindex(data,2)
| table ruleID, ruleResult, count
@avery2007 if you are indexing the XML file to Splunk and have KV_MODE=xml set in the props.conf for the same then XML values should get extracted automatically. I have used spath command in the run anywhere example below to extract the same fields using SPL. You can use the commands from | rename ...
if KV_MODE=xml
is set.
| makeresults
| eval xmlData="<summRes:ruleResult ruleID=\"CVE-2000-1985\">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"15489\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1820\">
<summRes:ident>CVE-2000-1820</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"14560\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-4568\">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"13458\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1156\">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"12567\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-5641\">
<summRes:ident>CVE-2000-5641</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fail\">
<summRes:result count=\"11243\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1985\">
<summRes:ident>CVE-2000-1985</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"900\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-1156\">
<summRes:ident>CVE-2000-1156</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"726\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>
<summRes:ruleResult ruleID=\"CVE-2000-4568\">
<summRes:ident>CVE-2000-4568</summRes:ident>
<summRes:ruleComplianceItem ruleResult=\"fixed\">
<summRes:result count=\"455\"/>
</summRes:ruleComplianceItem>
</summRes:ruleResult>"
| spath input=xmlData
| fields - xmlData
| rename "summRes:ruleResult.summRes:ruleComplianceItem.summRes:result{@count}" as "count",
"summRes:ruleResult.summRes:ruleComplianceItem{@ruleResult}" as "ruleResult",
"summRes:ruleResult{@ruleID}" as "ruleID"
| eval data=mvzip(mvzip(ruleID,ruleResult),count)
| fields data
| mvexpand data
| makemv data delim=","
| eval ruleID=mvindex(data,0),
ruleResult=mvindex(data,1),
count=mvindex(data,2)
| table ruleID, ruleResult, count
This is fake CVE data by the way... I'm not putting real vulnerabilities up on forums.