Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I extract this Operating System field from my sample data?

sumansah
SplunkTrust
SplunkTrust
‎11-03-2015 08:35 PM

I have exported a CSV from Nessus and I want to extract "Remote operating system : " and want the result as Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 and Juniper Junos Version 12.3R7.7

Any suggestions?

Sample Data:

"11936","","","None","192.168.1.4","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Microsoft Windows Server 2008 R2 Datacenter Service Pack 1 Confidence level : 99

"11936","","","None","192.168.1.7","tcp","0","OS Identification","It is possible to guess the remote operating system.","Using a combination of remote probes (e.g. TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.","n/a",""," Remote operating system : Juniper Junos Version 12.3R7.7
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kbarker302
Communicator
‎11-04-2015 10:23 AM

It sounds like you want to do a field extraction:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX

If the two examples above are from your search results, you should be able to do the following:

Expand one of the search results

Click Event Actions -- Extract Field

Click Regular Expressions -- Click Next

Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label

Enter a name for the field (ex: remote_os) and click Add Extraction

Click Next a couple more times and click Save.

When you do a search on that data again, you should see remote_os show up as an interesting field.

View solution in original post

Reply
Solved! Jump to solution
Solution

kbarker302
Communicator
‎11-04-2015 10:23 AM

It sounds like you want to do a field extraction:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX

If the two examples above are from your search results, you should be able to do the following:

Expand one of the search results

Click Event Actions -- Extract Field

Click Regular Expressions -- Click Next

Select the value for the operating system (ex: Microsoft Windows Server 2008 R2 Datacenter Service Pack 1). Select just the value, not the "Remote operating system" label

Enter a name for the field (ex: remote_os) and click Add Extraction

Click Next a couple more times and click Save.

When you do a search on that data again, you should see remote_os show up as an interesting field.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...