Splunk Search

How to do a multi line field extraction?

satyaallaparthi
Communicator

I want to extract package line as individual results,

tried rex "Linux\ssystem\s\:\s+(?<packages>.+)", but that is just extracting the first package line. 

tried rex "Linux\ssystem\s\:\s+(?<packages>(.+\w{1,3}\s\w{1,3}(\s+)?\d{1,2}\s\d{1,2}\:\d{1,2}\:\d{1,2}\s\d{4})", but same first line.

 

Here is the list of packages installed on the remote CentOS Linux system :

python-prettytable-0.7.2-3.el7|(none) Wed Jan 9 20:38:03 2019

gettext-0.19.8.1-3.el7|(none) Wed May 13 07:35:27 2020

cpp-4.8.5-44.el7|(none) Tue Feb 2 09:59:27 2021

kmod-20-28.el7|(none) Tue Feb 2 09:59:31 2021

glibc-2.17-324.el7_9|(none) Wed Mar 16 18:10:11 2022

diffutils-3.3-5.el7|(none) Tue Feb 2 09:59:00 2021

elfutils-default-yama-scope-0.176-5.el7|(none) Tue Feb 2 09:59:35 2021

glibc-2.17-324.el7_9|(none) Wed Mar 16 18:10:12 2022

numactl-libs-2.0.12-5.el7|(none) Tue Feb 2 09:59:02 2021

device-mapper-event-1.02.170-6.el7_9.3|7 Tue Feb 2 09:59:51 2021

Labels (2)
Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

rex max_match=0 "(?<packages>.+)\|\(*"

View solution in original post

satyaallaparthi
Communicator

Thank you, I got the result I need using split and mvindex too 

0 Karma

satyaallaparthi
Communicator

"TCP","0","Software Enumeration (SSH)","It was possible to enumerate installed software on the remote host via SSH.","Nessus was able to list the software installed on the remote host by calling the appropriate command (e.g., 'rpm -qa' on RPM-based Linux distributions, qpkg, dpkg, etc.).","Remove any software that is not in compliance with your organization's acceptable use and security policies.","","
Here is the list of packages installed on the remote CentOS Linux system : 

  python-prettytable-0.7.2-3.el7|(none)      Wed Jan  9 20:38:03 2019
  gettext-0.19.8.1-3.el7|(none)      Wed May 13 07:35:27 2020
  cpp-4.8.5-44.el7|(none)      Tue Feb  2 09:59:27 2021
  kmod-20-28.el7|(none)      Tue Feb  2 09:59:31 2021
  glibc-2.17-324.el7_9|(none)      Wed Mar 16 18:10:11 2022
  diffutils-3.3-5.el7|(none)      Tue Feb  2 09:59:00 2021
  elfutils-default-yama-scope-0.176-5.el7|(none)      Tue Feb  2 09:59:35 2021
  glibc-2.17-324.el7_9|(none)      Wed Mar 16 18:10:12 2022
  numactl-libs-2.0.12-5.el7|(none)      Tue Feb  2 09:59:02 2021
  device-mapper-event-1.02.170-6.el7_9.3|7      Tue Feb  2 09:59:51 2021
  coreutils-8.22-24.el7_9.2|(none)      Tue Feb  2 09:59:07 2021
  ipset-libs-7.1-1.el7|(none)      Tue Feb  2 09:59:56 2021
  shared-mime-info-1.8-5.el7|(none)      Tue Feb  2 09:59:13 2021
  iptables-services-1.4.21-35.el7|(none)      Tue Feb  2 10:00:27 2021
  python-chardet-2.2.1-3.el7|(none)      Tue Feb  2 09:59:17 2021
  logrotate-3.8.6-19.el7|(none)      Tue Feb  2 09:59:18 2021
  python2-cryptography-1.7.2-2.el7|(none)      Wed Jan  9 19:43:51 2019
  perl-HTTP-Tiny-0.033-3.el7|(none)      Tue Aug 27 08:09:45 2019
  PyYAML-3.10-11.el7|(none)      Wed Jan  9 20:19:50 2019
  python-srpm-macros-3-34.el7|(none)      Tue Feb  2 09:59:26 2021
  perl-File-Path-2.09-2.el7|(none)      Tue Aug 27 08:09:49 2019
  ivtv-firmware-20080701-26.el7|2      Wed Jan  9 19:12:50 2019
  pyparsing-1.5.6-9.el7|(none)      Tue Aug 27 08:09:54 2019
  systemd-219-78.el7_9.2|(none)      Tue Feb  2 09:59:34 2021
  which-2.20-7.el7|(none)      Wed Jan  9 19:12:04 2019
  slang-2.2.4-11.el7|(none)      Wed Jan  9 19:12:08 2019
  perl-devel-5.16.3-299.el7_9|4      Wed Mar 16 18:15:48 2022
  python-configobj-4.7.2-7.el7|(none)      Wed Jan  9 19:12:10 2019
  perl-libs-5.16.3-299.el7_9|4      Wed Mar 23 14:08:57 2022
  pyliblzma-0.5.3-11.el7|(none)      Wed Jan  9 19:12:10 2019
  readline-6.2-11.el7|(none)      Tue Feb  2 09:58:59 2021
  glusterfs-client-xlators-6.0-49.1.el7|(none)      Wed Mar 23 14:08:59 2022
  hardlink-1.0-19.el7|1      Wed Jan  9 19:12:25 2019
  sqlite-3.7.17-8.el7_7.1|(none)      Tue Feb  2 09:59:01 2021
  polkit-pkla-compat-0.1-4.el7|(none)      Wed Jan  9 19:12:30 2019
  python-ply-3.4-11.el7|(none)      Wed Jan  9 19:43:49 2019
  qemu-img-1.5.3-175.el7_9.3|10      Wed Mar 23 14:09:14 2022
  pygpgme-0.3-9.el7|(none)      Wed Jan  9 19:12:37 2019
  zlib-devel-1.2.7-19.el7_9|(none)      Wed Mar 23 14:09:15 2022
  lsscsi-0.27-6.el7|(none)      Wed Jan  9 19:12:36 2019
  iwl1000-firmware-39.31.5.1-80.el7_9|1      Wed Mar 23 14:09:15 2022
  grubby-8.28-26.el7|(none)      Tue Feb  2 10:01:13 2021
  iwl5150-firmware-8.24.2.2-80.el7_9|(none)      Wed Mar 23 14:09:15 2022
  python-babel-0.9.6-8.el7|(none)      Wed Jan  9 20:38:02 2019
  iwl6000-firmware-9.221.4.1-80.el7_9|(none)      Wed Mar 23 14:09:16 2022
  perl-Exporter-5.68-3.el7|(none)      Tue Aug 27 08:09:47 2019
  ncurses-libs-5.9-14.20130511.el7_4|(none)      Wed Jan  9 19:12:00 2019
  iwl5000-firmware-8.83.5.1_1-80.el7_9|(none)      Wed Mar 23 14:09:17 2022
  perl-constant-1.27-2.el7|(none)      Tue Aug 27 08:09:48 2019
  libsysfs-2.1.0-16.el7|(none)      Wed Jan  9 19:12:49 2019
  xz-libs-5.2.2-1.el7|(none)      Wed Jan  9 19:12:03 2019
  libcap-ng-0.7.5-4.el7|(none)      Wed Jan  9 19:12:04 2019
  libxml2-2.9.1-6.el7_9.6|(none)      Wed Mar 23 14:13:38 2022
  lua-5.1.4-15.el7|(none)      Wed Jan  9 19:12:04 2019
  centos-release-7-9.2009.1.el7.centos|(none)      Sun Jan 31 14:17:24 2021
  yum-3.4.3-161.el7.centos|(none)      Wed Jan  9 19:21:07 2019
  libXi-1.7.9-1.el7|(none)      Thu Apr 14 23:04:10 2022
  python-pycurl-7.19.0-19.el7|(none)      Wed Jan  9 19:12:23 2019
  fipscheck-1.4.1-6.el7|(none)      Wed Jan  9 19:12:22 2019
  libXcomposite-0.4.4-4.1.el7|(none)      Thu Apr 14 23:04:10 2022
  cpio-2.11-28.el7|(none)      Tue Feb  2 09:59:01 2021
  qrencode-libs-3.4.1-3.el7|(none)      Wed Jan  9 19:12:26 2019
  jasper-libs-1.900.1-33.el7|(none)      Thu Apr 14 23:04:11 2022
  iptables-1.4.21-35.el7|(none)      Tue Feb  2 09:59:03 2021
  gobject-introspection-1.56.1-1.el7|(none)      Wed Jan  9 19:22:09 2019
  psmisc-22.20-17.el7|(none)      Thu Apr 14 23:04:11 2022
  python-libs-2.7.5-90.el7|(none)      Tue Feb  2 09:59:11 2021
  alsa-firmware-1.0.28-2.el7|(none)      Wed Jan  9 19:12:34 2019
  jbigkit-libs-2.0-11.el7|(none)      Thu Apr 14 23:04:11 2022
  libssh2-1.8.0-4.el7|(none)      Tue Feb  2 09:59:15 2021
  python-pycparser-2.14-1.el7|(none)      Wed Jan  9 19:43:49 2019
  pcsc-lite-libs-1.8.8-8.el7|(none)      Thu Apr 14 23:04:11 2022
  device-mapper-persistent-data-0.8.5-3.el7_9.2|(none)      Tue Feb  2 09:59:19 2021
  acpid-2.0.19-9.el7|(none)      Wed Jan 16 09:56:44 2019
  hicolor-icon-theme-0.12-7.el7|(none)      Thu Apr 14 23:04:11 2022
  mesa-libglapi-18.3.4-12.el7_9|(none)      Tue Feb  2 16:18:30 2021
  perl-podlators-2.5.1-3.el7|(none)      Tue Aug 27 08:09:45 2019
  javapackages-tools-3.4.1-11.el7|(none)      Thu Apr 14 23:04:11 2022
  libwayland-server-1.15.0-1.el7|(none)      Tue Feb  2 16:18:31 2021
  perl-Time-HiRes-1.9725-3.el7|4      Tue Aug 27 08:09:47 2019
  ttmkfdir-3.0.9-42.el7|(none)      Thu Apr 14 23:04:15 2022
  graphite2-1.3.10-1.el7_3|(none)      Tue Feb  2 16:18:33 2021
  gtk2-2.24.31-1.el7|(none)      Thu Apr 14 23:04:15 2022
  pixman-0.34.0-1.el7|(none)      Tue Feb  2 16:18:34 2021
  keyutils-libs-1.5.8-3.el7|(none)      Wed Jan  9 19:12:00 2019
  bind-libs-lite-9.11.4-26.P2.el7_9.7|32      Fri Jul  1 14:18:53 2022
  libXrender-0.9.10-1.el7|(none)      Tue Feb  2 16:18:35 2021
  perl-Pod-Simple-3.28-4.el7|1      Tue Aug 27 08:09:49 2019
  binutils-2.27-44.base.el7_9.1|(none)      Fri Jul  1 14:18:56 2022
  libXxf86vm-1.1.4-1.el7|(none)      Tue Feb  2 16:18:35 2021
  tar-1.26-35.el7|2      Wed Jan  9 19:20:57 2019
  cyrus-sasl-gssapi-2.1.26-24.el7_9|(none)      Fri Jul  1 14:19:01 2022
  hwdata-0.252-9.7.el7|(none)      Tue Feb  2 16:18:37 2021
  libedit-3.0-12.20121213cvs.el7|(none)      Wed Jan  9 19:12:07 2019
  glib2-2.56.1-9.el7_9|(none)      Fri Jul  1 14:19:17 2022
  mesa-libGL-18.3.4-12.el7_9|(none)      Tue Feb  2 16:18:38 2021
  newt-0.52.15-4.el7|(none)      Wed Jan  9 19:12:08 2019
  kernel-tools-3.10.0-1160.59.1.el7|(none)      Fri Jul  1 14:20:09 2022
  cairo-1.15.12-4.el7|(none)      Tue Feb  2 16:18:39 2021
  python-slip-0.4.0-4.el7|(none)      Wed Jan  9 19:12:10 2019
  libX11-common-1.6.7-4.el7_9|(none)      Fri Jul  1 14:20:32 2022
  libselinux-2.5-15.el7|(none)      Tue Feb  2 09:58:51 2021
  nss-util-3.67.0-1.el7_9|(none)      Fri Jul  1 14:21:33 2022
  haveged-1.9.1-1.el7|(none)      Sun Sep 12 03:43:55 2021
  libacl-2.2.51-15.el7|(none)      Tue Feb  2 09:58:53 2021
  nss-sysinit-3.67.0-4.el7_9|(none)      Fri Jul  1 14:21:34 2022
  oracle-instantclient12.1-sqlplus-12.1.0.2.0-1|(none)      Sun Sep 12 05:09:38 2021
  iputils-20160308-10.el7|(none)      Wed Jan  9 19:12:30 2019
  openssh-7.4p1-22.el7_9|(none)      Fri Jul  1 14:21:45 2022
  python-backports-ssl_match_hostname-3.5.0.1-1.el7|(none)      Wed Jan  9 19:43:49 2019
  openssl-1.0.2k-25.el7_9|1      Fri Jul  1 14:21:54 2022
  python-enum34-1.0.4-1.el7|(none)      Wed Jan  9 19:43:50 2019
  python-perf-3.10.0-1160.59.1.el7|(none)      Fri Jul  1 14:22:06 2022
  vim-minimal-7.4.629-8.el7_9|2      Tue Feb  2 09:59:24 2021
  rpm-python-4.11.3-48.el7_9|(none)      Fri Jul  1 14:22:09 2022
  freetype-2.8-14.el7_9.1|(none)      Tue Feb  2 09:59:25 2021
  python-rpm-macros-3-34.el7|(none)      Tue Feb  2 09:59:26 2021
  dracut-033-572.el7|(none)      Tue Feb  2 09:59:30 2021
  dbus-1.10.24-15.el7|1      Tue Feb  2 09:59:35 2021
  cronie-1.4.11-23.el7|(none)      Tue Feb  2 09:59:53 2021
  libseccomp-2.3.1-4.el7|(none)      Tue Feb  2 09:59:56 2021
  dhclient-4.2.5-82.el7.centos|12      Tue Feb  2 10:00:01 2021
  ncurses-libs-5.9-14.20130511.el7_4|(none)      Sun Sep 12 05:27:37 2021
  tuned-2.11.0-10.el7|(none)      Tue Feb  2 10:00:26 2021
  unixODBC-2.3.1-14.el7|(none)      Sun Sep 12 05:28:23 2021
  parted-3.1-32.el7|(none)      Tue Feb  2 10:01:04 2021
  xz-devel-5.2.2-1.el7|(none)      Sun Sep 12 05:43:48 2021
  libgcrypt-devel-1.5.3-14.el7|(none)      Sun Sep 12 05:44:44 2021
  xfsprogs-4.5.0-22.el7|(none)      Tue Feb  2 10:01:14 2021
0 Karma

somesoni2
Revered Legend

Give this a try

rex max_match=0 "(?<packages>.+)\|\(*"

satyaallaparthi
Communicator

that's awesome I don't even know we can do "max_match = 0" that's extracting all of them, but I need date aswell, when the package was installed.

 

may be I should write regex for whole line and then use some split and mvindex? 🤔

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is all this information in a single (multi-line) event?

Please can you share a sample event (using a code block </>)?

0 Karma

satyaallaparthi
Communicator

Yes, I need in multi line, but I can do mvexpand even if I get all of them in one, but I need the date aswell when the package was installed. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex max_match=0 "(?<packagedate>.+\|\S+\s+.*)"
| mvexpand packagedate
| rex field=packagedate "(?<package>.+)\|\S+\s+(?<date>.*)"
| eval date=strptime(date,"%c")
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...