topic brake out individual row by host repeated for each line in Splunk Search

brake out individual row by host repeated for each line

youngsuh — Fri, 22 Jan 2021 18:00:11 GMT

Here is what I've done. How to break out the results into individual software correctly in Splunk. Any tips could be helpful. Here is the regex being used for software_name and software_version.

| rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d" | rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]" | stats values(software_name) as software_name values(software_version) as software_version by dest

Here is the text being rex to field value.

<plugin_output> The following software are installed on the remote host : McAfee Agent [version 5.6.6.232] Mozilla Firefox 84.0.2 (x64 en-US) [version 84.0.2] Mozilla Maintenance Service [version 84.0.2] The following updates are installed : Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 : KB2151757 [version 1] [installed on 3/23/2020] KB2467173 [version 1] [installed on 3/23/2020] KB2565063 [version 1] [installed on 9/10/2020] KB982573 [version 1] [installed on 3/23/2020] Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 : KB2151757 [version 1] [installed on 3/23/2020] KB2467173 [version 1] [installed on 3/23/2020] KB2565063 [version 1] [installed on 3/23/2020] KB982573 [version 1] [installed on 3/23/2020] </plugin_output>

I want to break out the results to induvial line with the host repeated. But, I don't know where to start. I'd try mvexpan function but, it doesn't break out the correct pair of data.

Re: brake out individual row by host repeated for each line

to4kawa — Sun, 24 Jan 2021 05:00:15 GMT

| makeresults | eval _raw="<plugin_output> The following software are installed on the remote host : McAfee Agent [version 5.6.6.232] Mozilla Firefox 84.0.2 (x64 en-US) [version 84.0.2] Mozilla Maintenance Service [version 84.0.2] The following updates are installed : Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 : KB2151757 [version 1] [installed on 3/23/2020] KB2467173 [version 1] [installed on 3/23/2020] KB2565063 [version 1] [installed on 9/10/2020] KB982573 [version 1] [installed on 3/23/2020] Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 : KB2151757 [version 1] [installed on 3/23/2020] KB2467173 [version 1] [installed on 3/23/2020] KB2565063 [version 1] [installed on 3/23/2020] KB982573 [version 1] [installed on 3/23/2020] </plugin_output>" | multikv noheader=t | where !match(_raw,"^\<.*") | streamstats count(eval(match(_raw,"The following"))) as session | rex "(?<software>.* )\[version (?<version>[^\]]+)" | where !match(_raw,"The following") | rex "(?<master>.*) :" | filldown master | fillnull master value="-" | stats values(master) as master by software version

Re: brake out individual row by host repeated for each line

youngsuh — Thu, 28 Jan 2021 16:03:37 GMT

@to4kawa

In reviewing your SPL. Look like I didn't provided enough information. I'd get the plugintext has field from a SPL search like so.

index="tenable" sourcetype="tenable:sc:vuln" plugin_id=42760 | rex max_match=100 field=pluginText "\n+(?<software_name>[^[].*)\s\s\[version\s\d" | rex max_match=100 field=pluginText "\s\s\[version\s(?<software_version>[^[]*.)\]" | stats values(software_name) as software_name values(software_version) as software_version by dest

I'd gave your SPL try to pipe the results with no luck. My SPL still is still elementary. Additional help would appreciated.

Re: brake out individual row by host repeated for each line

to4kawa — Thu, 28 Jan 2021 20:38:51 GMT