Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parse out tenable plugin_text correctly

fbond_diligent
Engager
‎08-18-2020 05:38 AM

I have the tenable TA installed and the data is getting into Splunk correctly, however when looking at the logs the field pluginText is not parsed out correctly. I assume it is because of the additional code in that section of the logs <plugin_output> but I do not know how to break down all the other sub-fields. 

 

 

 patchPubDate: -1
   pluginID: 19506
   pluginInfo: 19506 (0/6) Nessus Scan Information
   pluginModDate: 1591977600
   pluginName: Nessus Scan Information
   pluginPubDate: 1125072000
   pluginText: <plugin_output>Information about this scan : 

Nessus version : 8.9.0
Plugin feed version : 202008150609
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : 95a08a01-72d2-5765-b9ac-e3abc775c2ad-7940724/Copy of Corp Advanced Scan PoC
Scanner IP : 10.32.34.182
Port scanner(s) : nessus_syn_scanner 
Port range : sc-default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2020/8/17 6:26 EST
Scan duration : 1533 sec
</plugin_output>
   plugin_id: 19506
   port: 0
   protocol: TCP
   recastRisk: false

 

 

Like I would like Splunk to create fields for Scan Start Date, Scan duration...

splunk_tenable_snip.JPG

Labels (1)
Labels
Tags (1)
Reply

kennetkline
Path Finder
‎10-23-2020 05:23 AM

As requested

If you want duration as interger only

index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9]+)\s"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"


If you want it as string to say in "secs"

index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9a-z\s]+)\n"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...