Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract the CVE value

rashid47010
Communicator
‎03-16-2017 11:37 PM

From IPS Event How can I extract only CVE value

XXXXDxxxre xxxrability (CVE-201x-00xx) (severity = Low)

I am writing:
rex "CVE-(?\d+\d+)"

but no event apprears

Tags (2)
0 Karma
Reply

karimcisco
New Member
‎10-26-2017 02:30 AM

If you are using the TA Tenable do you need to create a props.conf file under and put the regex described by Giuseppe?

local karim$ pwd
/Applications/Splunk/etc/apps/Splunk_TA_nessus/local
local karim $ ls
inputs.conf

215:local karim $ more inputs.conf
[monitor:///Applications/Splunk/etc/apps/Splunk_TA_nessus/spool]
disabled = false
host = 127.0.0.1
sourcetype = CVE_2017

please advise

Thanks
Karim

0 Karma
Reply

woodcock
Esteemed Legend
‎03-17-2017 07:36 AM

Try this:

... | rex "CVE-(?<CVE>[^)]+)"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-17-2017 12:37 AM

Hi rashid47010,
try 

\(CVE-(?<CVE>[^\)]*)\)

you can sse in https://regex101.com/r/Pmk72R/1

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...