Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Extract Fields from McAfee Vulnerability Manager

mzorzi
Splunk Employee
Splunk Employee
‎04-07-2015 06:29 AM

The events collected from the MVM have multiline fields, I would like to extract vendor_description,vendor_observation and vendor_recommendation.

What is the best props.conf configuration?

Apr 06 2015 08:22:41
TicketID=11674520
category_id=29
vendor_category=Security Policy/Options
cve=CVE-MAP-NOMATCH
msft=
mskb=
dest_ip=196.68.23.14
dest_name=SRVUDG987
dest_host=SRVUDG987.VGR.ATTGR.NET
signature=User Rights Restore Files And Directories Policy
vendor_severity=0
vendor_description=The User Rights "Restore files and directories" policy does not match the recommended compliance value.
vendor_observation=The User Rights "Restore files and directories" policy specifies which accounts may restore files and directories from a backup.

        NOTE: This check requires at least Foundstone version 4.0.6.
vendor_recommendation=Foundstone recommends the User Rights "Restore files and directories" be set via either a group policy INF file or by manually navigating to:

        Control Panel - Administrative Tools - Local Security Policy - Local Policies - User Rights Assignment

        Set the "Restore files and directories" policy to Administrators
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-07-2015 06:52 AM

Why not this straightforward rex:

vendor_description=(?<description>.*)vendor_observation=(?<observation>.*)vendor_recommendation=(?<recommendation>.*)

When I use it with the s modifier (so that . includes newline) on your sample, I get exactly the entire text until the next vendor_ (with the first two entries at least, the last one just captures until the end of the event I guess).

0 Karma
Reply

mzorzi
Splunk Employee
Splunk Employee
‎04-07-2015 06:55 AM

have you tried it from props.conf? I have two different results between rex search command and props.conf

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎04-07-2015 07:01 AM

Unfortunately this is only rex-tested, sorry. I am not yet proficient with that sort of low-level setup. Why don't you try the expression in your props.conf, the modifier should work by prepending (?m)^ to your expression.

0 Karma
Reply

mzorzi
Splunk Employee
Splunk Employee
‎04-07-2015 06:30 AM

This works for me, but it is a bit random. Maybe you have better suggestion?

[vmdata]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
KV_MODE = none
EXTRACT-vall = (?mis)vendor_description=(?<vendor_descrition>.*)[\r\n]+vendor_observation=(?<vendor_observation>.*(?!vendor))[\r\n]+vendor_recommendation=(?<vendor_recommendation>.*)[\r\n]+
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...