topic Re: Partial Value as a match or field in Splunk Search

Is it possible to break a value down to partial values as a match or field?

Minasdad — Wed, 20 Jul 2022 16:32:21 GMT

So I have a field (plugin_output)that has a paragraph of hardware info as one value. The only part of the value I'm concerned with is the "Computer SerialNumber". Is it possible to break this value down into multiple values? I've tried field extraction with no luck, it may be possible to do a string search, but I would also need variables to account for the actual serial number value I want.

<plugin_output> Computer Manufacturer : VMware, Inc. Computer Model : VMware7,1 Computer SerialNumber : VMware-65 6d 69 60 3b 89 2a a0-3b 4e bb 3f 2a 95 2f 49 Computer Type : Other Computer Physical CPU's : 2 Computer Logical CPU's : 4 CPU0 Architecture : x64 Physical Cores: 2 Logical Cores : 2 CPU1 Architecture : x64 Physical Cores: 2 Logical Cores : 2 Computer Memory : 8190 MB RAM slot #0 Form Factor: DIMM Type : DRAM Capacity : 8192 MB </plugin_output>

Re: Partial Value as a match or field

ITWhisperer — Wed, 20 Jul 2022 16:10:22 GMT

(I unlinked your example as it referred to your server)

Can you post the raw event (desensitised of course) in a code block </> so we can see what you are actually dealing with?

If not, try this

| rex "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type"

Re: Partial Value as a match or field

Minasdad — Wed, 20 Jul 2022 16:20:45 GMT

I randomized parts of that value to define a non-existent server. I posted that example to show that the field had a single value with multiple strings. I'm trying to parse the strings to single out the Serial Number.

Re: Partial Value as a match or field

ITWhisperer — Wed, 20 Jul 2022 16:28:09 GMT

Fair enough (on the randomising) - the problem you appear to have is that there is no clear delimiter between key/value pairs in the string (obviously keys and values appear to be separated by colons). You could expand the rex or have multiple rex commands to anchor the pattern before and after the values you want (as I have shown for the serial number), but unless there is an invisible delimiter, it would be difficult to make it generic.

Re: Partial Value as a match or field

Minasdad — Wed, 20 Jul 2022 16:41:15 GMT

Your rex query actually came fairly close to isolating the string, it return every string that started with "Computer" which is alot closer and a much smaller return then the whole value.

Re: Is it possible to break a value down to partial values as a match or field?

Minasdad — Wed, 20 Jul 2022 16:46:41 GMT

Thanks for you help, I figured it out, building on your rex query.

sourcetype=tenable:sc:vuln SerialNumber
| rex max_match=0 field=_raw "Computer SerialNumber : (?<ComputerSerialNumber>.+) Computer Type" | table ComputerSerialNumber