https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519213#M146205 Can you post your query / dashboard code, so community could help you? Sat, 12 Sep 2020 15:07:12 GMT isoutamo 2020-09-12T15:07:12Z https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519210#M146204 <P>I would like to modify an existing dashboard to limit the Linux package that is being reported.&nbsp; Specifically, I want to see any packages that start with kernel.&nbsp; The plugin that is in use is Software Enumeration (SSH).&nbsp; The existing query returns too many records and is truncated.&nbsp; If I could limit it to see kernel packages only I think it would allow the query to complete.&nbsp; Does anybody have any suggestions how to pass this kernel*?&nbsp;&nbsp;</P> Sat, 12 Sep 2020 14:43:50 GMT https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519210#M146204 mccobalt96 2020-09-12T14:43:50Z https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519213#M146205 Can you post your query / dashboard code, so community could help you? Sat, 12 Sep 2020 15:07:12 GMT https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519213#M146205 isoutamo 2020-09-12T15:07:12Z https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519215#M146207 <P>I'm hoping this is what you are looking for:&nbsp; (I'm a newbie).</P><P>index=server_logs sourcetype="tenable:sc:vuln" pluginName="Software Enumeration (SSH)" dnsName = "$server$"<BR />| rex field=pluginText "Linux system\s\:\s+(?&lt;RPM&gt;[^&lt;]+)"<BR />| rex field=RPM mode=sed "s/\s+/;/g"<BR />| makemv RPM delim=";"<BR />| mvexpand RPM<BR />| table dnsName RPM<BR />| dedup dnsName RPM</P> Sat, 12 Sep 2020 15:14:03 GMT https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519215#M146207 mccobalt96 2020-09-12T15:14:03Z https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519219#M146208 <P>I believe I figured it out:</P><P>index=server_logs sourcetype="tenable:sc:vuln" pluginName="Software Enumeration (SSH)" dnsName = "$server$"<BR />| rex field=pluginText "Linux system\s\:\s+(?&lt;RPM&gt;[^&lt;]+)"<BR />| rex field=RPM mode=sed "s/\s+/;/g"<BR />| makemv RPM delim=";"<BR />| mvexpand RPM | search RPM="kernel*"<BR />| table dnsName RPM<BR />| dedup dnsName RPM</P><P>Unfortunately it includes any kernel-* items not just what I am looking for (i.e. kernel-3.10.*).&nbsp; If I could limit it to kernel-3* and kernel-2* I think it would get what I need... Any way to do that?&nbsp; Thanks!</P> Sat, 12 Sep 2020 15:32:42 GMT https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519219#M146208 mccobalt96 2020-09-12T15:32:42Z https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519221#M146209 Nice to hear that you figure it out. Probably this helps you to solve the rest?<BR /><A href="https://community.splunk.com/t5/Splunk-Search/How-can-I-use-regex-with-wildcard-patterns-in-a-search-to/m-p/236537" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-can-I-use-regex-with-wildcard-patterns-in-a-search-to/m-p/236537</A><BR />Another option is | where match or like<BR />r. Ismo Sat, 12 Sep 2020 16:31:30 GMT https://community.splunk.com/t5/Splunk-Search/Limiting-Software-Enumeration/m-p/519221#M146209 isoutamo 2020-09-12T16:31:30Z