We have updated our Terms of Service, Code of Conduct, and Addendum.

XML Processing Help

Options
msr1716
msr1716 Posts: 4
in Stream

Hey, if I have an event that is coming into Crible Stream, with format
of “<?xml version="1.0" encoding="UTF-8"?>” how would I convert
the event to JSON?
I see the use of C.Text.parseXml(_raw, false), but that
doesnt seem to parse it properly for me. Maybe I’m doing it wrong, but
it doesnt seem to get parsed. How would I do that? Tools such as NiFi
can convert from XML to JSON easily and quickly, but this seems a bit
harder.

Tagged:

Best Answer

  • Eugene Katz
    Eugene Katz Posts: 51 ✭✭
    Answer ✓
    Options

    This setup worked for me. Can you check where yours differs?

    a3cd0ec0df5af781d9e8efc7c0841da5024005c3_2_690x376.png

Answers

  • Eugene Katz
    Eugene Katz Posts: 51 ✭✭
    Options

    Can you share a sanitized or stripped down example XML you’re having
    trouble parsing? Does each event start with <?xml> tag, or a file
    with multiple events?

  • msr1716
    msr1716 Posts: 4
    Options

    @eugene its similar to McAfee HBSS data such as:

    <?xml version="1.0" encoding="UTF-8"?>
<SCORData>
    <MachineInfo>
        <MachineName>HOSTNAME</MachineName>
        <AgentGUID>GUID HERE</AgentGUID>
        <IPAddress>127.0.0.1</IPAddress>
        <OSName>Windows 8 Workstation</OSName>
        <UserName>SYSTEM</UserName>
        <TimeZoneBias>-60</TimeZoneBias>
        <RawMACAddress>123456789012</RawMACAddress>
    </MachineInfo>
    <SCORSoftware ProductName="Solidifier" ProductVersion="8.2.0.140" ProductFamily="Secure">
        <SCOREvent>
            <EventID>12321</EventID>
            <Severity>1</Severity>
            <GMTTime>2000-11-21T11:31:57</GMTTime>
            <SCORevent_name>COMMAND_EXECUTED</SCORevent_name>
            <SCORevt_id>8</SCORevt_id>
            <SCORevt_type>EVT_CAT_TYPE_INFO</SCORevt_type>
            <SCORevt_sink>7</SCORevt_sink>
            <SCORseq_no>1</SCORseq_no>
            <SCORtime_stamp>1637494316200</SCORtime_stamp>
            <SCORserver_state>0</SCORserver_state>
            <SCORend_time>Sun Nov 21 2000 12:31:56</SCORend_time>
            <SCORuser_name>...</SCORuser_name>
            <SCORcmd_line>...</SCORcmd_line>
            <SCORstatus>0</SCORstatus>
        </SCOREvent>
    </SCORSoftware>
</SCORData>

  • Eugene Katz
    Eugene Katz Posts: 51 ✭✭
    Answer ✓
    Options

    This setup worked for me. Can you check where yours differs?

    a3cd0ec0df5af781d9e8efc7c0841da5024005c3_2_690x376.png

  • msr1716
    msr1716 Posts: 4
    Options

    @eugene It looks like that works. Thanks. That helps. Would be nice to have that included in the official documentation

  • Eugene Katz
    Eugene Katz Posts: 51 ✭✭
    Options

    Glad it helped! Please mark the answer as the Solution when you have a chance.

    Would be nice to have that included in the official documentation

    I’ll talk to the docs team about making an update. What was the new
    insight you gained from my answer? How was it different from what you
    were trying to do?

  • msr1716
    msr1716 Posts: 4
    Options

    @eugene the documentation Reducing Windows XML Events | Cribl Docs shows that it can be run like: C.Text.parseXml(_raw, false) so with 2 variables not 1 in the parenthesis. C.Text.parseXml(_raw, false) , which is different than what worked of C.Text.parseXml(_raw)

  • Eugene Katz
    Eugene Katz Posts: 51 ✭✭
    Options

    Strange. With the sample you shared, C.Text.parseXml(_raw,false) works (as does true) just as well for me. I wonder if something else.

Categories