Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction needed

mbasharat
Builder
‎10-14-2020 07:37 AM

Hi,

I have data in XML format. Out of many fields that I have extracted, there is another field name pluginText which is in below format. I need to have some fields extracted from below.

I need below two fields. Also, if there is a rex I can use to extract all fields in below tags using a universal logic, that will be great. Thanks in-advance!!!

Nessus version

Plugin feed version

See sample below:

 

pluginText: <plugin_output>Information about this scan :

Nessus version : 7.6.3
Plugin feed version : 202010122335
Scanner edition used : Sample
Scan type : Windows Agent
Scan policy used : Windows_Server_2019
Scanner IP : 0.0.0.0
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : yes
Patch management checks : None
Display superseded patches : yes (supersedence plugin did not launch)
CGI scanning : disabled
Web application tests : disabled
Max hosts :
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan duration : unknown
</plugin_output>

 

 

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:33 AM

There are a few things you can if you don't have mvmap

Include the space in the mvfind and trim the value found

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))

Compress " : " to ":" in the string before rex

| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:05 AM 
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tagvalue=mvzip(tag,value,":")
| mvexpand tagvalue
| fields tagvalue
| rex field=tagvalue "(?<tag>.+)\s:\s(?<value>.+)"
| fields - tagvalue

First line will extract the fields, the remainder creates separate events for each if you need that. If not, you could "lookup" the tags and their values in the multi-value fields thus

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tag=mvmap(tag,trim(tag))
| eval value=mvmap(value,trim(value))
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-14-2020 09:16 AM

Hi ITWhisperer,

 

So first solution produces results and I am testing them. I tried using the second one as well to test as well and it is giving error that mvmap is unsupported or undefined. I am @ Splunk Enterprise 7.x. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:33 AM

There are a few things you can if you don't have mvmap

Include the space in the mvfind and trim the value found

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))

Compress " : " to ":" in the string before rex

| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)

 

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-14-2020 09:53 AM

Perfect. Thank you!!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...