topic Re: Multi-Valued Field help in Splunk Search

How to extract a Multi-Valued Field?

Minasdad — Tue, 19 Jul 2022 14:23:54 GMT

I've imported a .csv that has many fields, but the only one I care about has multiple values in it.

pluginText: <plugin_output>

Computer Manufacturer : VMware, Inc.

Computer Model : VMware Virtual Platform

Computer SerialNumber : This is what I REALLY need

Computer Type : Other Computer

"ect"..

</plugin_output>

I've tried extracting, and filtering, I believe Regex may work, but that is where I'm at.

Re: Multi-Valued Field help

yuanliu — Mon, 18 Jul 2022 19:09:02 GMT

Have you checked my answer in https://community.splunk.com/t5/Splunk-Search/Suggestions-for-Tenable-csv-field-extraction/m-p/606026/highlight/true#M210735? This field is not multivalued, just multi-line. Yes, rex should be able to help.

Re: Multi-Valued Field help

Minasdad — Mon, 18 Jul 2022 19:16:30 GMT

Tried both solutions, at this point I'm working with rex to see if I can isolate the data needed.

Re: Multi-Valued Field help

Minasdad — Tue, 19 Jul 2022 13:31:37 GMT

even when I use variations or use regex it seems to return every event in the sourcetype. Isolating the string " Computer SerialNumber" in the "InputText" field seems to be no Bueno

| spath input=pluginText ``` this gives you a field plugin_output ```
| rex field=plugin_output "Computer SerialNumber: (?<serialNumber>.+)"

Re: How to extract a Multi-Valued Field?

Minasdad — Tue, 19 Jul 2022 15:04:20 GMT

sourcetype="tenable:sc:vuln"sourcetype="tenable:sc:vuln" pluginID=24270 | rex field=pluginText max_match=100 "\\n\s+-\s(?<SerialNumber>[^\\n]*)"

Latest try, still returns the event without isolating the string and value required.

Re: How to extract a Multi-Valued Field?

yuanliu — Tue, 19 Jul 2022 16:02:13 GMT

Latest try, still returns the event without isolating the string and value required.

If you use "Smart Mode" and look in the left-hand side, do you see an additional field like SerialNumber? Alternatively, you can use | table SerialNumber pluginText as a test method to see if SerialNumber is extracted.

Re: How to extract a Multi-Valued Field?

Minasdad — Tue, 19 Jul 2022 16:05:20 GMT

Yes, at this point I believe it will take a regex group capture. Using regex is extremely new to me, but from what I'm researching it may be the best option to tackle it.

Re: How to extract a Multi-Valued Field?

yuanliu — Tue, 19 Jul 2022 16:18:19 GMT

"Yes" SerialNumber field is extracted (and has the right values)? Or yes otherwise? It seems that I'm missing some finer points in the requirement.

If you need specific pointers, you can post

Sample data (sanitize as necessary)
Expected output from sample data (including formating/listing considerations)
Sample code you have applied (reduce to the part relevant to the question)
Output from sample code, with an explanation why the output does not meet your expectation (it may not be obvious to others)

Re: How to extract a Multi-Valued Field?

Minasdad — Tue, 19 Jul 2022 16:26:49 GMT

No SerialNumber is not a field and cannot be extracted as a field. The field is "output_text" which has many lines of data that are seen as one value by spluck (.csv). If the Computer SerialNumber line cannot be extracted as a field, then I'm attempting to use regex to do a group capture involving the string itself.

Re: How to extract a Multi-Valued Field?

yuanliu — Tue, 19 Jul 2022 16:31:18 GMT

What I meant to ask is whether the regex extracts SerialNumber.

| rex field=output_text "Computer SerialNumber: (?<SerialNumber>.+)"

(In my code from the other thread, the field would be named "serialNumber" instead of "SerialNumber".)

Re: How to extract a Multi-Valued Field?

Minasdad — Tue, 19 Jul 2022 16:36:48 GMT

No upon executing your query it simply returns every event from the sourcetype, looking to the left at all fields does not show an extraction for "SerialNumber".

Re: How to extract a Multi-Valued Field?

yuanliu — Tue, 19 Jul 2022 17:55:29 GMT

Maybe back to the beginning. Let's test with _raw.

| rex "Computer SerialNumber\s*:\s*(?<SerialNumber>.+)"

Note: I see a space between the string "SerialNumber" and the colon in your data illustration, but my previous code didn't address that. That was my omission. This one handles common variants vendors might print their data. If space handling is the problem, you can add back field restriction.