Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract this Operating System field from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have exported a CSV from Nessus and I want to extract "Remote operating system : " and want the result as Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 and Juniper Junos Version 12.3R7.7
Any suggestions?
Sample Data:
"11936","","","None","192.168.1.4","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 Confidence level : 99
"11936","","","None","192.168.1.7","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Juniper Junos Version 12.3R7.7
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you want to do a field extraction:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the two examples above are from your search results, you should be able to do the following:
Expand one of the search results
Click Event Actions -- Extract Field
Click Regular Expressions -- Click Next
Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label
Enter a name for the field (ex: remote_os) and click Add Extraction
Click Next a couple more times and click Save.
When you do a search on that data again, you should see remote_os show up as an interesting field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you want to do a field extraction:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the two examples above are from your search results, you should be able to do the following:
Expand one of the search results
Click Event Actions -- Extract Field
Click Regular Expressions -- Click Next
Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label
Enter a name for the field (ex: remote_os) and click Add Extraction
Click Next a couple more times and click Save.
When you do a search on that data again, you should see remote_os show up as an interesting field.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
