Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction needed

mbasharat
Builder
‎10-14-2020 07:37 AM

Hi,

I have data in XML format. Out of many fields that I have extracted, there is another field name pluginText which is in below format. I need to have some fields extracted from below.

I need below two fields. Also, if there is a rex I can use to extract all fields in below tags using a universal logic, that will be great. Thanks in-advance!!!

Nessus version

Plugin feed version

See sample below:

 

pluginText: <plugin_output>Information about this scan :

Nessus version : 7.6.3
Plugin feed version : 202010122335
Scanner edition used : Sample
Scan type : Windows Agent
Scan policy used : Windows_Server_2019
Scanner IP : 0.0.0.0
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : yes
Patch management checks : None
Display superseded patches : yes (supersedence plugin did not launch)
CGI scanning : disabled
Web application tests : disabled
Max hosts :
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan duration : unknown
</plugin_output>

 

 

Labels (4)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:33 AM

There are a few things you can if you don't have mvmap

Include the space in the mvfind and trim the value found

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))

Compress " : " to ":" in the string before rex

| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:05 AM 
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tagvalue=mvzip(tag,value,":")
| mvexpand tagvalue
| fields tagvalue
| rex field=tagvalue "(?<tag>.+)\s:\s(?<value>.+)"
| fields - tagvalue

First line will extract the fields, the remainder creates separate events for each if you need that. If not, you could "lookup" the tags and their values in the multi-value fields thus

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval tag=mvmap(tag,trim(tag))
| eval value=mvmap(value,trim(value))
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)
0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-14-2020 09:16 AM

Hi ITWhisperer,

 

So first solution produces results and I am testing them. I tried using the second one as well to test as well and it is giving error that mvmap is unsupported or undefined. I am @ Splunk Enterprise 7.x. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-14-2020 09:33 AM

There are a few things you can if you don't have mvmap

Include the space in the mvfind and trim the value found

| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version ")
| eval nessusvalue=trim(mvindex(value,nessus))

Compress " : " to ":" in the string before rex

| eval events=replace(events," : ",":")
| rex max_match=0 field=events "(\r|\n)*(?<tag>[^:]+):(?<value>[^\r\n]+)"
| eval nessus=mvfind(tag,"Nessus version")
| eval nessusvalue=mvindex(value,nessus)

 

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-14-2020 09:53 AM

Perfect. Thank you!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...