topic merge fields in Splunk Search

merge fields

skhedim — Tue, 29 Sep 2020 18:42:16 GMT

Hello,

I'm new to the splunk universe, and I need to create a dashboard listing the CVEs (security holes) of a Docker image.

I think my need is feasible via splunk, but I don't know how to proceed. I'll try to go into as much detail as I can.

First of all, I get all these informations for scanning an image in splunk (example: debian)

I would like to process this information to get a dashboard similar to this one:
https://anchore.io/image/dockerhub/2b98c9851a37e18356abe407922726dc35c370f7cee76f435f94ee92950b4493?repo=library%2Fdebian&tag=latest#security

First, I would like to list all CVE line by line as on the website above. But when I try to do that, I get that result:

I have a column scrolling around the field with its number, and all this information is on one line. I would like all vulnerabilities_*_vuln fields to be "merged" into a single CVE field, in order to have the same result as on the anchore.io site above

Is it possible via splunk to get this result?

Thank you in advance,

Sincerely.

Re: merge fields

JDukeSplunk — Tue, 27 Mar 2018 17:38:06 GMT

You might want to eval, coalesce. I don't know if this will work..Just spitballing here. You'll have to fill in the additional fields in the eval statements if this works.

index="poc_anchor" "imagetag=docker.io/debian:latest
| eval "vulnerabilities"=coalesce(vulnerabilities_0_vuln,vulnerabilities_10_vuln,vulnerabilities_11_vuln)
| eval "severity"=coalesce(vulnerabilities_0_severity,vulnerabilities_10_severity,vulnerabilities_11_severity)
|stats list(vulnerabilities) as vulnerabilities by severity

Another option would be to create a more generic field extraction with a single name that captures all the CVE-\d+-\d+-\d+- patterns.

Re: merge fields

mayurr98 — Tue, 29 Sep 2020 18:43:06 GMT

Okay so you need to extract the vulnerabilities_*_vuln in one field . and then expand it .
can you share one sample event?

Re: merge fields

somesoni2 — Tue, 27 Mar 2018 22:38:44 GMT

Try like this

index="poc_anchor" "imagetag=docker.io/debian:latest
| fields index vulnerabilities_*
| untable index attribute value
| rex field=attribute "vulnerability_(?<VulnID>\d+)_(?<name>\w+)"
| chart values(value) over VulnID over name
| table vuln severity package fix url
| rename vuln as "CVE ID" severity as "Severity" package as "Vulnerable Package" fix as "Fix Available" url as "URL"

Re: merge fields

skhedim — Tue, 29 Sep 2020 18:48:00 GMT

Hi,

thanks for your quick answers!

I'm going to clarify what I want to reproduce, I want to get this table with the same columns based on the fields vulnerabilities_x_fix, vulnerabilities_x_vuln, etc.. I want to list every _vuln vulnerability on one line and the same with _fix, etc.

I think somesoni2's answer is very close to what I want. But I get an error Error in'chart' command: Invalid argument:'over'. if I replace the second over with "by" I have no more error but no result is displayed.

I also tried the JDukeSplunk solution, I get a table, but with only one line.

Do you have any other ideas? Thank you again.

Sincerely.

Re: merge fields

skhedim — Wed, 28 Mar 2018 09:11:46 GMT

thanks for the answer, I think it's very close to what I want, though it doesn't return anything. I don't understand the untable line. once I launched the untable line I couldn't do anything in return. Do you know what the problem might be?

Re: merge fields

somesoni2 — Wed, 28 Mar 2018 11:15:09 GMT

What all fields do you get when younrun below query?

index="poc_anchor" "imagetag=docker.io/debian:latest
 | table index vulnerabilities_*

After adding `| unstable index attribute value´ to above you should get a table with 3 columns index attribute value

Re: merge fields

skhedim — Tue, 29 Sep 2020 18:47:53 GMT

It's working!

I hadn't seen it but it was just missing "ies" at the end of vulnerabilities here:

rex field=attribute "vulnerabilit*ies*(?\d+)(?\w+)"

That's exactly what I wanted, thanks again!

See you later