Getting Data In

How do I Remove linebreak characters from nbe files

Communicator

Hello all,

We have Nessus running on a Linux server which also has a Splunk Heavy Forwarder 4.1.8. We have the Nessus reports going to a certain directory which Splunk Monitors locally and sends to our Indexer. The results are in this format when they reach the indexer:

results|domain.com|nessus.domain.com|general/tcp|19506|Security Note|\nSynopsis :\n\nInformation about the Nessus scan.\n\nDescription :\n\nThis script displays, for each tested host, information about the scan itself:\n\n - The version of the plugin set\n - The type of plugin feed (HomeFeed or ProfessionalFeed)\n - The version of the Nessus Engine\n - The port scanner(s) used\n - The port range scanned\n - The date of the scan\n - The duration of the scan\n - The number of hosts scanned in parallel\n - The number of checks done in parallel\n\nSolution :\n\nn/a\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nInformation about this scan : \n\nNessus version...

I would like to remove the line break characters (\n AND \n\n) so i can create fields with for Description and Synopsis. I'm thinking this will involve a props and maybe a transform however I haven't been able to find any documentation on how to do this. Thanks in advance for any help!

I-Man

1 Solution

SplunkTrust
SplunkTrust

Are these actual line break characters, or are they literally a "\" followed by an "n" ? I have never seen Splunk fail to properly consume and deal with actual newlines (CR+LF or LF alone). My guess is these are real backslashes followed by n's. You could check the raw files nessus makes before Splunk consumes them, just to make sure.

If that is what they are, then you can easily use SEDCMD to fix up the input. I think something like this would work in props.conf.

[mysourcetype]
SEDCMD-backslash_n = s/\\n//g

View solution in original post

SplunkTrust
SplunkTrust

Are these actual line break characters, or are they literally a "\" followed by an "n" ? I have never seen Splunk fail to properly consume and deal with actual newlines (CR+LF or LF alone). My guess is these are real backslashes followed by n's. You could check the raw files nessus makes before Splunk consumes them, just to make sure.

If that is what they are, then you can easily use SEDCMD to fix up the input. I think something like this would work in props.conf.

[mysourcetype]
SEDCMD-backslash_n = s/\\n//g

View solution in original post

Communicator

Yes, that is exactly how the nbe logs look prior to being splunked by splunk. Furthermore, your SEDCMD script removed the literal \n perfectly! Thanks a million!