Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parse out tenable plugin_text correctly

fbond_diligent
Engager
‎08-18-2020 05:38 AM

I have the tenable TA installed and the data is getting into Splunk correctly, however when looking at the logs the field pluginText is not parsed out correctly. I assume it is because of the additional code in that section of the logs <plugin_output> but I do not know how to break down all the other sub-fields. 

 

 

 patchPubDate: -1
   pluginID: 19506
   pluginInfo: 19506 (0/6) Nessus Scan Information
   pluginModDate: 1591977600
   pluginName: Nessus Scan Information
   pluginPubDate: 1125072000
   pluginText: <plugin_output>Information about this scan : 

Nessus version : 8.9.0
Plugin feed version : 202008150609
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : 95a08a01-72d2-5765-b9ac-e3abc775c2ad-7940724/Copy of Corp Advanced Scan PoC
Scanner IP : 10.32.34.182
Port scanner(s) : nessus_syn_scanner 
Port range : sc-default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2020/8/17 6:26 EST
Scan duration : 1533 sec
</plugin_output>
   plugin_id: 19506
   port: 0
   protocol: TCP
   recastRisk: false

 

 

Like I would like Splunk to create fields for Scan Start Date, Scan duration...

splunk_tenable_snip.JPG

Labels (1)
Labels
Tags (1)
Reply

kennetkline
Path Finder
‎10-23-2020 05:23 AM

As requested

If you want duration as interger only

index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9]+)\s"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"


If you want it as string to say in "secs"

index=nessus sourcetype="tenable:sc:vuln" pluginID=19506
| rex field=pluginText "Scan duration\s+:\s+(?<scanDuration>[0-9a-z\s]+)\n"
| rex field=pluginText "Scan Start Date\s+:\s+(?<scanStart>[0-9A-Z\/\s:]+)\n"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...