Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract this Operating System field from ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumansah
New Member
11-03-2015
08:35 PM
I have exported a CSV from Nessus and I want to extract "Remote operating system : " and want the result as Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 and Juniper Junos Version 12.3R7.7
Any suggestions?
Sample Data:
"11936","","","None","192.168.1.4","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 Confidence level : 99
"11936","","","None","192.168.1.7","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Juniper Junos Version 12.3R7.7
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kbarker302
Communicator
11-04-2015
10:23 AM
It sounds like you want to do a field extraction:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the two examples above are from your search results, you should be able to do the following:
Expand one of the search results
Click Event Actions -- Extract Field
Click Regular Expressions -- Click Next
Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label
Enter a name for the field (ex: remote_os) and click Add Extraction
Click Next a couple more times and click Save.
When you do a search on that data again, you should see remote_os show up as an interesting field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kbarker302
Communicator
11-04-2015
10:23 AM
It sounds like you want to do a field extraction:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the two examples above are from your search results, you should be able to do the following:
Expand one of the search results
Click Event Actions -- Extract Field
Click Regular Expressions -- Click Next
Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label
Enter a name for the field (ex: remote_os) and click Add Extraction
Click Next a couple more times and click Save.
When you do a search on that data again, you should see remote_os show up as an interesting field.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
