topic Re: Problem pulling multiple values from field-extraction within a subsearch in Splunk Search

Problem pulling multiple values from field-extraction within a subsearch

jonathangrant74 — Thu, 02 Nov 2017 17:33:04 GMT

Good day. I am trying to use a subsearch to extract SSL certificate Subject Alternative Names (SAN) from Nessus scan data and I'm running into the issue with subsearches only returning 1 value in a multi-value field. If I run the search as the primary search, it returns all of the applicable values; however, when run as a subsearch, it only returns 1 value. I understand that by default the subsearch will only return the first value, but I'm trying to find a way to get all of the values over to the main search.

I've searched around and have seen some articles asking a very similar question and I've not been able to use any of the proposed solutions successfully. I tried using "format" in my subsearch, but when I use that, I get zero result returned to the main search. I've also seen solutions that suggest edits to the the props.conf file, but I have not tried that yet.

I think this is a common thing and it may not be possible to do what I'm trying to do, but I wanted to reach out to the community to see if anyone has any suggestions that I can try before I give on on this one. Thank you in advance for your time reading this and any input you might have.

Below is a sample snippet from the Nessus log data containing the SANs as well as the subsearch and regex I'm using for the SAN (certSAN) field extraction.

Sample Extract from Raw Data:
\nKey Usage: Digital Signature, Key Encipherment, Sata Encipherment\n\nExtension: Subject Alternative Name (2.5.29.17)\nCritical: 0\DNS: sample1.test.com\nDNS: sample2.test.com\nDNS: sample3.test.com\n

Search String:
main search |join ip [search index=tenablesc pluginText="Subject Alternative Name" |rex field=pluginText "DNS: (?[^\n]+)" |fields +ip, certSAN]

Re: Problem pulling multiple values from field-extraction within a subsearch

cmerriman — Thu, 02 Nov 2017 18:49:18 GMT

assuming the dns extraction is for the certsan field. your regex needed a field name called out and then i made it an mv field after the subsearch.

Re: Problem pulling multiple values from field-extraction within a subsearch

jonathangrant74 — Thu, 02 Nov 2017 20:40:25 GMT

Thank you for the input. I tried running the additional commands you suggested and the search errored out with this message:

Error in 'makemv' command: Option 'certSANdelim=\nDNS: ' is invalid.

On a separate note, I noticed that I accidentally neglected to include the 'search' command prior to "index=..." in my subsearch from my initial post. I have it properly defined in my actual Splunk search btw 😉

Re: Problem pulling multiple values from field-extraction within a subsearch

cmerriman — Thu, 02 Nov 2017 23:29:12 GMT

My mistake. I had a typo There needs to be a space between certSAN and delim. I have fixed it in my original post

Re: Problem pulling multiple values from field-extraction within a subsearch

jonathangrant74 — Thu, 16 Nov 2017 22:06:03 GMT

Sorry for the delay in my response!! I was given a few priority projects that I had to knock out before I was able to spend time on this again.

Anyhoo, I added the suggested makemv string to my search and it is still only pulling one of the SAN names; however, when I manually check the test-target, the Nessus log within Splunk contains 5 SAN names, so I know there is still more there.

Back to the drawing board 🙂

Re: Problem pulling multiple values from field-extraction within a subsearch

jonathangrant74 — Fri, 17 Nov 2017 18:36:21 GMT

WooHoo! I was able to get this working and I am now pulling all of the SAN values for applicable SSL certificates. Technically the multiple SAN values are 1 value as they are all on the same line, but I think I can correct this in the final report; but that is just vanity. As long as I can pull all of the SANS from the cert, I'm happy.

I appended 'max_match=0' to the rex string; 0 being indefinite matches. Here is what the working search string looks like:

main search |join ip [index=tenablesc pluginText="Subject Alternative Name"|rex max_match=0 field=data "DNS: (?<certSAN>[^\\n]+)"|fields ip certSAN]|makemv certSAN delim="\nDNS: "|replace *\n with * in certSAN

I hope this is helpful to someone at some point having a similar issue.

Re: Problem pulling multiple values from field-extraction within a subsearch

sander980 — Tue, 29 Sep 2020 16:54:12 GMT

Hi, I had a similar requirement today and this post put me on the right path I also wanted to get the individual dns names out. For this I used mvindex which seems to work well without a subsearch.
Sharing in case it helps you with that report!

main search
| rex field=pluginText max_match=0 "DNS: (?[^\n\s]+)"
| eval Subject_AN=mvindex(SAN,0,-1)