topic Rex extraction of fields in Splunk Search

Rex extraction of fields

leagawa — Fri, 08 Dec 2017 03:44:15 GMT

I have the following CVE results form a vulnerability report and would like to extract the CVEs to individual CVEs on a separate field.

ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737

please assist on how to extract using REX and dump the indivual CVEs like CVE-2017-8708 and so on to a separate field

Re: Rex extraction of fields

niketn — Fri, 08 Dec 2017 05:18:20 GMT

@leagawa, try the following run anywhere search based on your sample data:

| makeresults
| eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
| rex "(?<CVE>CVE[^C]+)" max_match=0
| mvexpand CVE
| table CVE
| eval CVE=rtrim(CVE,"-")

Re: Rex extraction of fields

harsmarvania57 — Fri, 08 Dec 2017 05:51:58 GMT

Hi @leagawa,

You can try this regex -(?<CVE>[^-]*\-[^-]*\-[^-]*) so based on sample data which you have provided I have created below query, first 2 lines are used to generate dummy data.

 | makeresults
 | eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
 | rex "-(?<CVE>[^-]*\-[^-]*\-[^-]*)" max_match=0
 | table CVE
 | mvexpand CVE

Re: Rex extraction of fields

woodcock — Fri, 08 Dec 2017 06:07:45 GMT

Like this:

| makeresults
 | eval _raw="ADV170012-CVE-2017-0161-CVE-2017-8675-CVE-2017-8676-CVE-2017-8677-CVE-2017-8678-CVE-2017-8679-CVE-2017-8680-CVE-2017-8681-CVE-2017-8682-CVE-2017-8683-CVE-2017-8684-CVE-2017-8686-CVE-2017-8687-CVE-2017-8688-CVE-2017-8692-CVE-2017-8695-CVE-2017-8699-CVE-2017-8707-CVE-2017-8708-CVE-2017-8709-CVE-2017-8713-CVE-2017-8714-CVE-2017-8719-CVE-2017-8720-CVE-2017-8728-CVE-2017-8737"
 | eval CVE=split(_raw, "CVE-")
 | eval CVE=mvfilter(NOT match(CVE, "^ADV\d+-"))
 | rex field=CVE mode=sed "s/-$//"

Re: Rex extraction of fields

leagawa — Fri, 08 Dec 2017 21:05:58 GMT

Thank you all for the quick response. All the above REGEX worked but the one that gave me the exact results that i needed was the second andswer. I was able to replace the eval _raw with other fields where the data resided in other formats and still got the CVE-- extracted.