I have the tenable TA installed and the data is getting into Splunk correctly, however when looking at the logs the field pluginText is not parsed out correctly. I assume it is because of the additional code in that section of the logs <plugin_output> but I do not know how to break down all the other sub-fields.
patchPubDate: -1
pluginID: 19506
pluginInfo: 19506 (0/6) Nessus Scan Information
pluginModDate: 1591977600
pluginName: Nessus Scan Information
pluginPubDate: 1125072000
pluginText: <plugin_output>Information about this scan :
Nessus version : 8.9.0
Plugin feed version : 202008150609
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : 95a08a01-72d2-5765-b9ac-e3abc775c2ad-7940724/Copy of Corp Advanced Scan PoC
Scanner IP : 10.32.34.182
Port scanner(s) : nessus_syn_scanner
Port range : sc-default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2020/8/17 6:26 EST
Scan duration : 1533 sec
</plugin_output>
plugin_id: 19506
port: 0
protocol: TCP
recastRisk: false
Like I would like Splunk to create fields for Scan Start Date, Scan duration...
As requested
If you want duration as interger only
index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9]+)\s"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"
If you want it as string to say in "secs"
index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9a-z\s]+)\n"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"