- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction needed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have data in XML format. Out of many fields that I have extracted, there is another field name pluginText which is in below format. I need to have some fields extracted from below.
I need below two fields. Also, if there is a rex I can use to extract all fields in below tags using a universal logic, that will be great. Thanks in-advance!!!
Nessus version
Plugin feed version
See sample below:
pluginText: <plugin_output>Information about this scan :
Nessus version : 7.6.3
Plugin feed version : 202010122335
Scanner edition used : Sample
Scan type : Windows Agent
Scan policy used : Windows_Server_2019
Scanner IP : 0.0.0.0
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : yes
Patch management checks : None
Display superseded patches : yes (supersedence plugin did not launch)
CGI scanning : disabled
Web application tests : disabled
Max hosts :
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan duration : unknown
</plugin_output>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a few things you can if you don't have mvmap
Include the space in the mvfind and trim the value found
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))Compress " : " to ":" in the string before rex
| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tagvalue=mvzip(tag,value,":")
| mvexpand tagvalue
| fields tagvalue
| rex field=tagvalue "(?<tag>.+)\s:\s(?<value>.+)"
| fields - tagvalueFirst line will extract the fields, the remainder creates separate events for each if you need that. If not, you could "lookup" the tags and their values in the multi-value fields thus
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tag=mvmap(tag,trim(tag))
| eval value=mvmap(value,trim(value))
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ITWhisperer,
So first solution produces results and I am testing them. I tried using the second one as well to test as well and it is giving error that mvmap is unsupported or undefined. I am @ Splunk Enterprise 7.x. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a few things you can if you don't have mvmap
Include the space in the mvfind and trim the value found
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))Compress " : " to ":" in the string before rex
| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect. Thank you!!!!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
