Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract this Operating System field from my sample data?

sumansah
New Member
‎11-03-2015 08:35 PM

I have exported a CSV from Nessus and I want to extract "Remote operating system : " and want the result as Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 and Juniper Junos Version 12.3R7.7

Any suggestions?

Sample Data:

"11936","","","None","192.168.1.4","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 Confidence level : 99

"11936","","","None","192.168.1.7","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Juniper Junos Version 12.3R7.7
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kbarker302
Communicator
‎11-04-2015 10:23 AM

It sounds like you want to do a field extraction:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX

If the two examples above are from your search results, you should be able to do the following:

Expand one of the search results

Click Event Actions -- Extract Field

Click Regular Expressions -- Click Next

Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label

Enter a name for the field (ex: remote_os) and click Add Extraction

Click Next a couple more times and click Save.

When you do a search on that data again, you should see remote_os show up as an interesting field.

View solution in original post

Reply
Solved! Jump to solution
Solution

kbarker302
Communicator
‎11-04-2015 10:23 AM

It sounds like you want to do a field extraction:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX

If the two examples above are from your search results, you should be able to do the following:

Expand one of the search results

Click Event Actions -- Extract Field

Click Regular Expressions -- Click Next

Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label

Enter a name for the field (ex: remote_os) and click Add Extraction

Click Next a couple more times and click Save.

When you do a search on that data again, you should see remote_os show up as an interesting field.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top