How to "Bucket" Certain Field Values into a new Field?

atebysandwich — Thu, 16 Mar 2023 19:09:27 GMT

I have a lookup of vulnerability scan data that includes fields such as hostname, IP, OS, CVEs, etc. I would like to put all OSs that are specified as a desktop OS as a field value named Desktop; anything that is specified as a server OS as a field value named Server but add an extra layer of specification if it's Unix or Windows; and anything with a network OS specified as Network and then put those field values in a new field called OS_Specified

Here is an example of the OS's I would like to categorize.

Desktop

Windows 10 Enterprise 64 bit Edition Version 1803
Windows 10 Enterprise 64 bit Edition Version 21H1
Windows 10

Server

Red Hat Enterprise Linux 8.7
Windows Server 2012 R2 Datacenter 64 bit Edition
Windows Server 2016 Datacenter Version 1607

Network

Cisco Nexus Switch
CentOS Linux 8.4.2105

I'm assuming eval and/or rex is going to need to be involved, and that is where I would need assistance.

I feel like my ask is similar to This but a little more involved.

Re: How to "Bucket" Certain Field Values into a new Field?

richgalloway — Thu, 16 Mar 2023 19:16:54 GMT

A series of case statement should do the job.

| inputlookup mylookup.csv | eval Desktop = case(match(OS, "Windows 10"), 1, 1==1, null()) | eval Server = case(match(OS, "Windows Server"), 1, match(OS, "Red Hat"), 1, ``` Insert matches for other OSs here``` 1==1, null()) | eval Network = case(match(OS, "Cisco", 1, match(OS, "CentOS Linux", 1, 1==1, null())

topic Re: How to "Bucket" Certain Field Values into a new Field? in Splunk Search

How to "Bucket" Certain Field Values into a new Field?

Re: How to "Bucket" Certain Field Values into a new Field?