topic Re: Using rex to extract text from tenable sc output in Splunk Search

Using rex to extract text from tenable sc output

geoffmx — Fri, 28 Jun 2019 08:11:46 GMT

I am attempting to extract the share names from the "pluginText" field below.

pluginText:  <plugin_output>
Here are the SMB shares available on the remote host when logged in as SomeAccount:

  - share1$
  - Share-2$
  - share 3
  - share number 4
  - share - number - 5
  - and_so_on
</plugin_output>

and require the out put to show like this...

share1$
Share-2$
share 3
share number 4
share - number - 5
and_so_on

I had some luck with this... | rex ":* - (?<pluginText>[^<]*)</plugin_output>" | makemv delim=" - " pluginText
... with the exception of share names that contained a " - ". For example, " share - number - 5" gets split into three separate names because of the delimiter.

I've also tried this... | rex "^[^\-\n]*\-\s+(?<pluginText>[^<]*)" | makemv delim="\n - " pluginText

But it's not consistent. Sometimes, I get the share names as intended, and sometimes it just shows all the text including whats not required.
I'm not very strong with regular expressions, so I'm requesting help to get it right on splunk.

Re: Using rex to extract text from tenable sc output

klischatb — Fri, 28 Jun 2019 09:02:32 GMT

Hello,
i tried this regex to get only the "-" out of your text.
Maybe this will help:

\s\s(?(-))\s

Re: Using rex to extract text from tenable sc output

lakshman239 — Fri, 28 Jun 2019 10:04:21 GMT

May not be the best one, but would this help?

\-\s+(?<myshares>........?.?.?.?.?.?.?.?.?.?.?)

https://regex101.com/r/CbiPte/2

Re: Using rex to extract text from tenable sc output

geoffmx — Fri, 28 Jun 2019 10:46:04 GMT

Thanks Laxman!

It works on the sample set provided, but doesn't when tested with actual logs.

I've managed to get it working with this...

    | rex ":* - (?<pluginText>[^<]*)</plugin_output>" 
    | makemv delim="\n  - " pluginText

Re: Using rex to extract text from tenable sc output

wenthold — Fri, 28 Jun 2019 21:15:09 GMT

Try with max_match set to a high value.

| rex max_match=500 "(?:\s*-\s*(?<share_name>.*))" | mvexpand share_name

If you have a field name that contains just the plugin output text with the share list (I'm not familiar with Tenable SC logs) use "field={your field name}" with rex, by default it runs the pattern against the entire _raw message.

Re: Using rex to extract text from tenable sc output

spayneort — Sat, 29 Jun 2019 03:51:07 GMT

<search> | rex field=pluginText max_match=100 "\\n\s+-\s(?<share>[^\\n]*)"

Re: Using rex to extract text from tenable sc output

geoffmx — Mon, 01 Jul 2019 07:27:14 GMT

Thank you! This worked perfectly.