Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field extraction needed

mbasharat
Builder
‎10-14-2020 07:37 AM

Hi,

I have data in XML format. Out of many fields that I have extracted, there is another field name pluginText which is in below format. I need to have some fields extracted from below.

I need below two fields. Also, if there is a rex I can use to extract all fields in below tags using a universal logic, that will be great. Thanks in-advance!!!

Nessus version

Plugin feed version

See sample below:

 

pluginText: <plugin_output>Information about this scan :

Nessus version : 7.6.3
Plugin feed version : 202010122335
Scanner edition used : Sample
Scan type : Windows Agent
Scan policy used : Windows_Server_2019
Scanner IP : 0.0.0.0
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : yes
Patch management checks : None
Display superseded patches : yes (supersedence plugin did not launch)
CGI scanning : disabled
Web application tests : disabled
Max hosts :
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan duration : unknown
</plugin_output>

 

 

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:33 AM

There are a few things you can if you don't have mvmap

Include the space in the mvfind and trim the value found

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))

Compress " : " to ":" in the string before rex

| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:05 AM 
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tagvalue=mvzip(tag,value,":")
| mvexpand tagvalue
| fields tagvalue
| rex field=tagvalue "(?<tag>.+)\s:\s(?<value>.+)"
| fields - tagvalue

First line will extract the fields, the remainder creates separate events for each if you need that. If not, you could "lookup" the tags and their values in the multi-value fields thus

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tag=mvmap(tag,trim(tag))
| eval value=mvmap(value,trim(value))
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-14-2020 09:16 AM

Hi ITWhisperer,

 

So first solution produces results and I am testing them. I tried using the second one as well to test as well and it is giving error that mvmap is unsupported or undefined. I am @ Splunk Enterprise 7.x. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:33 AM

There are a few things you can if you don't have mvmap

Include the space in the mvfind and trim the value found

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))

Compress " : " to ":" in the string before rex

| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)

 

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-14-2020 09:53 AM

Perfect. Thank you!!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...