Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parse out tenable plugin_text correctly

fbond_diligent
Engager
‎08-18-2020 05:38 AM

I have the tenable TA installed and the data is getting into Splunk correctly, however when looking at the logs the field pluginText is not parsed out correctly. I assume it is because of the additional code in that section of the logs <plugin_output> but I do not know how to break down all the other sub-fields. 

 

 

 patchPubDate: -1
   pluginID: 19506
   pluginInfo: 19506 (0/6) Nessus Scan Information
   pluginModDate: 1591977600
   pluginName: Nessus Scan Information
   pluginPubDate: 1125072000
   pluginText: <plugin_output>Information about this scan : 

Nessus version : 8.9.0
Plugin feed version : 202008150609
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : 95a08a01-72d2-5765-b9ac-e3abc775c2ad-7940724/Copy of Corp Advanced Scan PoC
Scanner IP : 10.32.34.182
Port scanner(s) : nessus_syn_scanner 
Port range : sc-default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2020/8/17 6:26 EST
Scan duration : 1533 sec
</plugin_output>
   plugin_id: 19506
   port: 0
   protocol: TCP
   recastRisk: false

 

 

Like I would like Splunk to create fields for Scan Start Date, Scan duration...

splunk_tenable_snip.JPG

Labels (1)
Labels
Tags (1)
Reply

kennetkline
Path Finder
‎10-23-2020 05:23 AM

As requested

If you want duration as interger only

index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9]+)\s"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"


If you want it as string to say in "secs"

index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9a-z\s]+)\n"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top