Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract this Operating System field from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have exported a CSV from Nessus and I want to extract "Remote operating system : " and want the result as Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 and Juniper Junos Version 12.3R7.7
Any suggestions?
Sample Data:
"11936","","","None","192.168.1.4","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 Confidence level : 99
"11936","","","None","192.168.1.7","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Juniper Junos Version 12.3R7.7
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you want to do a field extraction:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the two examples above are from your search results, you should be able to do the following:
Expand one of the search results
Click Event Actions -- Extract Field
Click Regular Expressions -- Click Next
Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label
Enter a name for the field (ex: remote_os) and click Add Extraction
Click Next a couple more times and click Save.
When you do a search on that data again, you should see remote_os show up as an interesting field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you want to do a field extraction:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
If the two examples above are from your search results, you should be able to do the following:
Expand one of the search results
Click Event Actions -- Extract Field
Click Regular Expressions -- Click Next
Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label
Enter a name for the field (ex: remote_os) and click Add Extraction
Click Next a couple more times and click Save.
When you do a search on that data again, you should see remote_os show up as an interesting field.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
