Hello
I use automatic translation because I am not good at English. sorry.
I took NVD 's CVE list (Json Feed) into Splunk.
That's index="testIndex" product_name = "openssl" "version_data" = "1.6.0" Searching with
There is no "1.6.0" in the version of openssl
I want to link product with version but it does not work as expected.
I can't get spath or mvexpand to extract the nested arrays properly
Someone help me.
{
"cve" : {
"CVE_data_meta" : {
"ID" : "CVE-2013-0169",
"ASSIGNER" : "cve@mitre.org"
},
"affects" : {
"vendor" : {
"vendor_data" : [ {
"vendor_name" : "openssl",
"product" : {
"product_data" : [ {
"product_name" : "openssl",
"version" : {
"version_data" : [ {
"version_value" : "*"
}, {
"version_value" : "0.9.8"
}, {
"version_value" : "0.9.8a"
}, {
"version_value" : "0.9.8b"
}, {
"version_value" : "0.9.8c"
}, {
"version_value" : "0.9.8d"
}, {
"version_value" : "0.9.8f"
}, {
"version_value" : "0.9.8g"
} ]
}
} ]
}
}, {
"vendor_name" : "oracle",
"product" : {
"product_data" : [ {
"product_name" : "openjdk",
"version" : {
"version_data" : [ {
"version_value" : "-"
}, {
"version_value" : "1.6.0"
}, {
"version_value" : "1.7.0"
} ]
}
} ]
}
}, {
"vendor_name" : "polarssl",
"product" : {
"product_data" : [ {
"product_name" : "polarssl",
"version" : {
"version_data" : [ {
"version_value" : "0.10.0"
}, {
"version_value" : "0.10.1"
}, {
"version_value" : "0.11.0"
} ]
}
} ]
}
} ]
}
}
},
"publishedDate" : "2013-02-08T19:55Z",
"lastModifiedDate" : "2018-08-09T01:29Z"
}
↧